InfoSec Round-Up: July 26th 2020
£1m Football Scam, Twitter Hack, Test and Trace & York Uni Data Breach
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
UK Test and Trace Breaks Data Law
The UK’s Department of Health has this week admitted that England’s test and trace program has broken data protection law by failing to carry out a privacy impact assessment.
Following concerns raised by the Open Rights Group (ORG), a digital freedoms advocacy organisation, the UK government has acknowledged that the official contact-tracing program was begun without conducting a report into how it would impact privacy.
A data protection impact assessment (DPIA) is required under the General Data Protection Regulation (GDPR) for any project which processes personal data; with test and trace asking citizens to share, amongst other things, date of birth, cohabitees, recent locations and sexual partners.
Despite this failure, officials insist that the program has not resulted in any breach of data. Education Secretary Gavin Williams stated on the matter: “We do need to have a test and trace system and we had to get that up and running at incredible speed.... Are you really advocating that we get rid of a test and trace system? I don't think you are."
ORG’s executive director, Jim Killock, accused the government of ‘recklessness’, stating: “A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”
FBI Investigates Twitter Hackers
Twitter has confirmed that the perpetrators of last week’s Twitter hack, which is now being investigated by the FBI, exploited platform tools to not only compromise around 130 accounts, but to also download personal account data.
In an update published by Twitter, the company claims that the attackers targeted “employees through a social engineering scheme”, manipulating them to gain access to Twitter’s internal systems and by-pass two-factor protections.
With access to the accounts, it’s thought that hackers were able to scam around $100,000 worth of bitcoin, in what some have termed an “unsophisticated” attack.
Now being examined by the Federal Bureau of Investigation, amongst those accounts affected by the Twitter hack were Kanye West, Barack Obama, Elon Musk and Bill Gates.
It is thought that of the many accounts compromised, only eight were subject to attackers downloading account data, with none of these eight reportedly being verified accounts.
Twitter has apologised to users about the incident, stating: “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”
Premier League Club Almost Loses £1m
An unnamed Premier League football club has recently come close to losing £1 million in a social engineering attack targeting a managing director.
Reported by the UK’s National Cyber Security Centre (NCSC), hackers managed to intercept a transfer negotiation by hijacking an Office 365 account.
The scam, which was thankfully stopped when a bank flagged an issue with the payee account, is just one of the incidents described in the NCSC’s latest report into the cyber threat that sports organisations face.
Amongst other incidents was another football club whose turnstiles were locked in a ransomware attack, almost leading to the cancellation of a match, and a racecourse loosing £15,000 to a spoofed version of eBay.
UK sports organisations are recommended to improve their overall cyber-security, with 70% experiencing a breach or incident in the past twelve months alone.
University Investigates Data Theft
The University of York has announced that student, staff and alumni information was breached in a ransomware attack levelled against third-part service provider ‘Blackbaud’.
The affected software company provides a service for several healthcare organisations and educational institutions and charities, of which the University of York is just one.
In an official post, the university stated: “The cybercriminal was able to remove a copy of a subset of data from a number of [Blackbaud’s] clients. This included a subset of University of York data.”
Blackbaud also informed the university that the cyber-criminal’s demands for ransom ‘were met’ and that they had “received assurance es… that the data had been destroyed.”
The breached data is thought to include names, student numbers, email addresses and fundraising activity; though the university notes that no bank details or other ‘encrypted’ data was accessible.
Having taken steps to inform the proper parties, the university expressed regret, adding “please be assured that we take data protection very seriously” and “we will continue to work with Blackbaud to investigate this matter”.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.
Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.