InfoSec Round-Up: July 26th 2020

£1m Football Scam, Twitter Hack, Test and Trace & York Uni Data Breach

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

UK Test and Trace Breaks Data Law

The UK’s Department of Health has this week admitted that England’s test and trace program has broken data protection law by failing to carry out a privacy impact assessment.

Following concerns raised by the Open Rights Group (ORG), a digital freedoms advocacy organisation, the UK government has acknowledged that the official contact-tracing program was begun without conducting a report into how it would impact privacy.

A data protection impact assessment (DPIA) is required under the General Data Protection Regulation (GDPR) for any project which processes personal data; with test and trace asking citizens to share, amongst other things, date of birth, cohabitees, recent locations and sexual partners.

Despite this failure, officials insist that the program has not resulted in any breach of data. Education Secretary Gavin Williams stated on the matter: “We do need to have a test and trace system and we had to get that up and running at incredible speed.... Are you really advocating that we get rid of a test and trace system? I don't think you are."

ORG’s executive director, Jim Killock, accused the government of ‘recklessness’, stating: “A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”

FBI Investigates Twitter Hackers

Twitter has confirmed that the perpetrators of last week’s Twitter hack, which is now being investigated by the FBI, exploited platform tools to not only compromise around 130 accounts, but to also download personal account data.

In an update published by Twitter, the company claims that the attackers targeted “employees through a social engineering scheme”, manipulating them to gain access to Twitter’s internal systems and by-pass two-factor protections.

With access to the accounts, it’s thought that hackers were able to scam around $100,000 worth of bitcoin, in what some have termed an “unsophisticated” attack.

Now being examined by the Federal Bureau of Investigation, amongst those accounts affected by the Twitter hack were Kanye West, Barack Obama, Elon Musk and Bill Gates.

It is thought that of the many accounts compromised, only eight were subject to attackers downloading account data, with none of these eight reportedly being verified accounts.

Twitter has apologised to users about the incident, stating: “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”

Premier League Club Almost Loses £1m

An unnamed Premier League football club has recently come close to losing £1 million in a social engineering attack targeting a managing director.

Reported by the UK’s National Cyber Security Centre (NCSC), hackers managed to intercept a transfer negotiation by hijacking an Office 365 account.

The scam, which was thankfully stopped when a bank flagged an issue with the payee account, is just one of the incidents described in the NCSC’s latest report into the cyber threat that sports organisations face.

Amongst other incidents was another football club whose turnstiles were locked in a ransomware attack, almost leading to the cancellation of a match, and a racecourse loosing £15,000 to a spoofed version of eBay.

UK sports organisations are recommended to improve their overall cyber-security, with 70% experiencing a breach or incident in the past twelve months alone.

University Investigates Data Theft

The University of York has announced that student, staff and alumni information was breached in a ransomware attack levelled against third-part service provider ‘Blackbaud’.

The affected software company provides a service for several healthcare organisations and educational institutions and charities, of which the University of York is just one.

In an official post, the university stated: “The cybercriminal was able to remove a copy of a subset of data from a number of [Blackbaud’s] clients. This included a subset of University of York data.”

Blackbaud also informed the university that the cyber-criminal’s demands for ransom ‘were met’ and that they had “received assurance es… that the data had been destroyed.”

The breached data is thought to include names, student numbers, email addresses and fundraising activity; though the university notes that no bank details or other ‘encrypted’ data was accessible.

Having taken steps to inform the proper parties, the university expressed regret, adding “please be assured that we take data protection very seriously” and “we will continue to work with Blackbaud to investigate this matter”.