InfoSec Round-Up: July 26th 2020

Play Video

£1m Football Scam, Twitter Hack, Test and Trace & York Uni Data Breach

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

UK Test and Trace Breaks Data Law

The UK’s Department of Health has this week admitted that England’s test and trace program has broken data protection law by failing to carry out a privacy impact assessment.

Following concerns raised by the Open Rights Group (ORG), a digital freedoms advocacy organisation, the UK government has acknowledged that the official contact-tracing program was begun without conducting a report into how it would impact privacy.

A data protection impact assessment (DPIA) is required under the General Data Protection Regulation (GDPR) for any project which processes personal data; with test and trace asking citizens to share, amongst other things, date of birth, cohabitees, recent locations and sexual partners.

Despite this failure, officials insist that the program has not resulted in any breach of data. Education Secretary Gavin Williams stated on the matter: “We do need to have a test and trace system and we had to get that up and running at incredible speed.... Are you really advocating that we get rid of a test and trace system? I don't think you are."

ORG’s executive director, Jim Killock, accused the government of ‘recklessness’, stating: “A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”

FBI Investigates Twitter Hackers

Twitter has confirmed that the perpetrators of last week’s Twitter hack, which is now being investigated by the FBI, exploited platform tools to not only compromise around 130 accounts, but to also download personal account data.

In an update published by Twitter, the company claims that the attackers targeted “employees through a social engineering scheme”, manipulating them to gain access to Twitter’s internal systems and by-pass two-factor protections.

With access to the accounts, it’s thought that hackers were able to scam around $100,000 worth of bitcoin, in what some have termed an “unsophisticated” attack.

Now being examined by the Federal Bureau of Investigation, amongst those accounts affected by the Twitter hack were Kanye West, Barack Obama, Elon Musk and Bill Gates.

It is thought that of the many accounts compromised, only eight were subject to attackers downloading account data, with none of these eight reportedly being verified accounts.

Twitter has apologised to users about the incident, stating: “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”

Premier League Club Almost Loses £1m

An unnamed Premier League football club has recently come close to losing £1 million in a social engineering attack targeting a managing director.

Reported by the UK’s National Cyber Security Centre (NCSC), hackers managed to intercept a transfer negotiation by hijacking an Office 365 account.

The scam, which was thankfully stopped when a bank flagged an issue with the payee account, is just one of the incidents described in the NCSC’s latest report into the cyber threat that sports organisations face.

Amongst other incidents was another football club whose turnstiles were locked in a ransomware attack, almost leading to the cancellation of a match, and a racecourse loosing £15,000 to a spoofed version of eBay.

UK sports organisations are recommended to improve their overall cyber-security, with 70% experiencing a breach or incident in the past twelve months alone.

University Investigates Data Theft

The University of York has announced that student, staff and alumni information was breached in a ransomware attack levelled against third-part service provider ‘Blackbaud’.

The affected software company provides a service for several healthcare organisations and educational institutions and charities, of which the University of York is just one.

In an official post, the university stated: “The cybercriminal was able to remove a copy of a subset of data from a number of [Blackbaud’s] clients. This included a subset of University of York data.”

Blackbaud also informed the university that the cyber-criminal’s demands for ransom ‘were met’ and that they had “received assurance es… that the data had been destroyed.”

The breached data is thought to include names, student numbers, email addresses and fundraising activity; though the university notes that no bank details or other ‘encrypted’ data was accessible.

Having taken steps to inform the proper parties, the university expressed regret, adding “please be assured that we take data protection very seriously” and “we will continue to work with Blackbaud to investigate this matter”.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Security Check for your Organisation

How Secure is My Organisation?

How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.

Ransomware Propagation

How Does Ransomware get on your Computer?

How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.

Auditing for GDPR Compliance - Guest Blog

Guest Blog: How to Audit Your Business for GDPR Compliance

How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.

The Data Protection Act - Personal Data Breaches

What is a Breach of Data Protection?

What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security

Ransomware in the Education Sector

University Hit With $1.14m Ransomware Attack

University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.

Purpose of the Data Protection Act

What is the Purpose of the Data Protection Act?

What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.

Remote Working Security

Top 3 Remote Work Security Lessons

Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.

Data Protection Act Regulators

Who Regulates the Data Protection Act?

Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security

NHS Phishing Attacks

NHS Email Accounts Compromised in Phishing Attack

NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.

Data Protection Act Enforcers

Who Enforces the Data Protection Act?

Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.

Speak to us about your Cyber Awareness