InfoSec Round-Up May 28th
Amex Fines, Japan Hack & Darkside Strikes Again
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
American Express Fined
The UK’s data watchdog, the Information Commissioner’s Office (ICO) has fined the financial services company, American Express (Amex) £90,000 for sending more than four million unlawful marketing emails.
Sent between June of 2018 and May of 2019, the ICO launched their investigation after receiving multiple complains from Amex customers who were receiving emails despite having opted out of marketing lists.
Breaking Regulation 22 of the Privacy and Electronic Communications Regulations 2003, it is against the law for an organisation to send such communications unless consent has been freely given.
Having argued that customers would be ‘disadvantaged’ if they weren’t made aware of marketing campaigns, and that the emails were a requirement of its Credit Agreements, the ICO dismissed Amex’s defences as ‘groundless’.
Speaking on the fine, ICO Head of Investigations Andy Curry noted, “This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.”
Adding, “I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.”
Japan Government Data Breach
Data belonging to multiple Japanese government agencies has been breached via an information sharing tool, in what appears to be a supply chain attack.
The cloud-based software, ProjectWEB, a product of Japanese technology company Fujitsu, was temporarily disabled by the company after learning about the attack, which is known to have affected, amongst others, the Japanese Ministry of Land, Infrastructure, Transport and Tourism, and Narita International Airport.
With attackers gaining unauthorised access to sensitive data, including at least 76,000 email addresses, details regarding the extent of the attack are still not yet clear and the perpetrators remain unnamed.
Fujitsu have confirmed that they are conducting an investigation and working with law enforcement. A representative from the company has publicly stated: “Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities.”
Adding, “As a precautionary measure, we have suspended [the] use of this tool, and we have informed any potentially impacted customers.”
Darkside Strikes Again
UK-based insurance broken One Call Insurance has been hit with a ransomware attack, launched by the same ransomware syndicate behind the recent US Colonial Pipelines attack.
Forced to shut down company servers, the Doncaster-based company is reportedly being extorted to the tune of £15 million, with the gang threatening to publish data, including customer passwords and bank details.
Occurring only 6 days after the attack on Colonial Pipelines, One Call is yet to confirm the extent of the data affected, though have stated that they are working with forensic specialists to restore systems and that the relevant authorities have been notified.
A spokesperson for the company has stated: “Our IT team took steps to mitigate the impact of the attack by shutting off our servers. As we have been restoring our systems, we opted to prioritise supporting our existing customers and, therefore, at this time we are not accepting new instructions or onboarding new customers.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.