Infosec Round-Up: May 15th 2020

Play Video

Norfund Breach, Celebrity Data hack, and Ransomware Research

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are looking the New York law firm hack that is holding celebrity data hostage, how paying a data ransom can affect the cost of recovery and a private equity company scammed out of $10 million. Welcome to the Hut Six Infosec Round-up.

100 Million Krona Lost in Suspected BEC

The private equity fund, Norfund has lost 100 million Krona, or $10 million USD to sophisticated online scammers.

Occurring in March, the money was lost when funds intended for a Cambodian microfinance company were diverted to a third-party account, following criminal intercepting key communications.

Believed to have been diverted to Mexico, the missing funds went unnoticed for around 6 weeks before the scam was discovered around the end of April.

With realistic design, content and language, Norfund has termed the attack an “advanced data breach”
Norfund, which is owned and funded by the Norwegian government’s Ministry of Foreign Affairs, has stated that they are working with law enforcement agencies across the territories to track down the lost funds and with security specialists to conduct a review of the company’s practices and systems.

Celebrity Data Stolen

A New-York law firm has fallen victim to a hack, loosing the personal data of clients such as Elton John, Lady Gaga and Madonna.

Grubman Shire Meiselas & Sacks this week acknowledge the loss of around 750GB of client data, much of which relates to plethora of entertainers, musical acts, and well-known companies, such as Facebook and Sony.

Thought to be stolen with the   aid of the infamous ransomware strand REvil, or Sodinokibi, this same software was used in the Travelex heist which demanded six million USD for the return of customer data.

In a press release, the company stated, “We have hired the world's experts who specialise in this area, and we are working around the clock to address these matters."

It is unknown how much is being demanded in this attack, or whether the firm will be paying the ransom.

Bringing us to our next story:

Paying Ransom Doubles Attack Cost

New research suggests that companies that pay a data ransom, end up spending almost double than those that do not.

As a prevalent form of cyber threat, it is thought that a ransomware attack now, on average costs around three quarters of a million USD for those that don’t pay, as opposed to almost one and a half for those who shed out.

Putting something of a stop to the idea that paying a ransom is the easiest and cheapest solution, the research also asserts that around only 6% of ransomware victims failed to get their data back, with the majority of companies relying on back-ups to recover information.

As well as the recent and destructive ransomware attack against IT services provider Cognizant, which is expected to cost somewhere between fifty and seventy million USD, this week offers plenty in the way of stark reminders regarding the ongoing danger of ransomware and the cost of being underprepared for attacks.

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Remote Work - the New Normal?

The Age of Remote Work

4 Key Information Security Risks for remote work during lockdown. Blog from Information Security Awareness training provider Hut Six Security.

Top 10 Essential Information Security Awareness Training Topics for Employees

Top 10 Essential Security Awareness Training Topics - Hut Six

Top Cyber Security Awareness Training Topics · Phishing · Web Safety · Passwords · Malware · Mobile Devices · Wi-Fi · Social Engineering · Encryption · Backups · Sensitive Information.

Data Protection Act Responsibilities

Who is Responsible for Enforcing the Data Protection Act?

Who is Responsible for Enforcing the Data Protection Act? Information security awareness blog by Information Security training provider Hut Six Security

Hut Six Staff Snippets: Social Media and Privacy

Hut Six Staff Snippets: Social Media and Privacy - Hut Six

Priya, our Customer Success Specialist, talks about her favourite tutorial, Social Media & Privacy, which explains the dangers of social media sites and how to stay safe.

Data Protection Act Exemptions

Are There Any Exemptions to the Data Protection Act?

Are there any exemptions to the Data Protection Act? Blog by Information Security Awareness Training provider Hut Six Security.

Hut Six Staff Snippets: Assessing your Risk

Hut Six Staff Snippets: Assessing your Risk - Hut Six

Simon Fraser, our Managing Director, talks about his favourite tutorial, Assessing your Risk, which explains how businesses can assess the likelihood of a security risk occurring

Tech Nation Cohort Member - Hut Six

Hut Six Announces Tech Nation Cyber Membership

Hut Six are pleased to announce membership to Tech nation Cyber, the UK's national scale-up program for all things cyber and tech. Blog by Hut Six Security.

Hut Six Staff Snippets: Encryption

Hut Six Staff Snippets: Encryption - Hut Six

Pratteek Bathula, our Product Director, talks about his favourite tutorial, Encryption, which explains the principle of encryption and how it is used to keep your information safe.

Hut Six Staff Snippets: Password Security

Hut Six Staff Snippets: Password Security - Hut Six

Technical Director Dan walks us through the password security tutorial. New video from Information Security Awareness Training Provider Hut Six Security

Data Protection Principles

How Many Data Protection Principles are There?

How Many Data Protection Principles are There? And what do they all mean? Blog by Information Security Awareness Training provider Hut Six Security

Speak to us about your Cyber Awareness