InfoSec Round-Up May 28th

Play Video

Amex Fines, Japan Hack & Darkside Strikes Again

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

American Express Fined

The UK’s data watchdog, the Information Commissioner’s Office (ICO) has fined the financial services company, American Express (Amex) £90,000 for sending more than four million unlawful marketing emails.

Sent between June of 2018 and May of 2019, the ICO launched their investigation after receiving multiple complains from Amex customers who were receiving emails despite having opted out of marketing lists.

Breaking Regulation 22 of the Privacy and Electronic Communications Regulations 2003, it is against the law for an organisation to send such communications unless consent has been freely given.

Having argued that customers would be ‘disadvantaged’ if they weren’t made aware of marketing campaigns, and that the emails were a requirement of its Credit Agreements, the ICO dismissed Amex’s defences as ‘groundless’.

Speaking on the fine, ICO Head of Investigations Andy Curry noted, “This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.”

Adding, “I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.”

Japan Government Data Breach

Data belonging to multiple Japanese government agencies has been breached via an information sharing tool, in what appears to be a supply chain attack.

The cloud-based software, ProjectWEB, a product of Japanese technology company Fujitsu, was temporarily disabled by the company after learning about the attack, which is known to have affected, amongst others, the Japanese Ministry of Land, Infrastructure, Transport and Tourism, and Narita International Airport.

With attackers gaining unauthorised access to sensitive data, including at least 76,000 email addresses, details regarding the extent of the attack are still not yet clear and the perpetrators remain unnamed.

Fujitsu have confirmed that they are conducting an investigation and working with law enforcement. A representative from the company has publicly stated: “Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities.”

Adding, “As a precautionary measure, we have suspended [the] use of this tool, and we have informed any potentially impacted customers.”

Darkside Strikes Again

UK-based insurance broken One Call Insurance has been hit with a ransomware attack, launched by the same ransomware syndicate behind the recent US Colonial Pipelines attack.

Forced to shut down company servers, the Doncaster-based company is reportedly being extorted to the tune of £15 million, with the gang threatening to publish data, including customer passwords and bank details.

Occurring only 6 days after the attack on Colonial Pipelines, One Call is yet to confirm the extent of the data affected, though have stated that they are working with forensic specialists to restore systems and that the relevant authorities have been notified.

A spokesperson for the company has stated: “Our IT team took steps to mitigate the impact of the attack by shutting off our servers. As we have been restoring our systems, we opted to prioritise supporting our existing customers and, therefore, at this time we are not accepting new instructions or onboarding new customers.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

InfoSec Round-Up May 21st

InfoSec Round-Up May 21st - Hut Six

Fuel supplier pays a huge $4.4 million ransomware to criminals. Russia "unconvincingly" denies involvement with SolarWinds hack. FTC reports $80 million has been lost to scams.

InfoSec Round-Up May 14th

InfoSec Round-Up May 14th - Hut Six

Devastating attack hits Colonial Pipeline fuel supplier. Company criticised for 'unethical' phishing campaign. NSCS warns international cyber criminals.

InfoSec Round-Up May 7th

InfoSec Round-Up May 7th - Hut Six

“Aggressive and Urgent” action against ransomware needed. Romance fraudster steals $113K from victim. Household router flaws leave 6 million vulnerable.

InfoSec Round-Up: April 30th

InfoSec Round-Up: April 30th - Hut Six

Washington DC’s Metro Police Department has lost 250GB of unencrypted data which could be leaked to criminal gangs. Reverb.com exposes personal data of millions of customers. Massive Merseyrail ransomware attack.

InfoSec Round-up: April 23rd

InfoSec Round-up: April 23rd - Hut Six

TikTok Data Lawsuit, Apple Attack & Spy Warning - Infosec Round-Up April 23rd

The importance of an email security policy

Why Organisations Need an Email Security Policy

An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.

Infosec Round-Up: April 16th

Infosec Round-Up: April 16th - Hut Six

Nuclear Cyber Attack, Capcom Hack & Ransomware Food Shortage - Infosec Round-Up April 16th

Preventing Human Error in Information Security

Human Error in Information Security

When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.

InfoSec Round-Up April 9th

InfoSec Round-Up: April 9th - Hut Six

Facebook Leak, Booking.com Fined & University Attacks - Infosec Round-Up April 9th

Security Awareness - Return on Investment

Investing in Information Security Awareness Training

Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021