Infosec Round-Up Nov 12th
Google Privacy Case, REvil Bounty & Clinic Ransomware Attack
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
Google Privacy Case
The UK’s Supreme Court has rejected a mass-action lawsuit which sought billions of pounds in damages against Google over the alleged illegal tracking of millions of users.
Had the case, which began back in 2017, been allowed by the Supreme Court to continue, it would have set a significant precedent in terms of future mass actions; whereby one representative could have brought action on behalf of millions of others.
In his judgement of the case, Lord Leggatt stated that a key problem was the claimants lack of evidence regarding individual suffering or any material damage or distress as a result of a breach.
Richard Lloyd, former director of consumer rights group Which? who brought the case has responded to the decision stating: “We are bitterly disappointed that the Supreme Court has failed to do enough to protect the public from Google and other big tech firms who break the law.”
Adding, “Although the court once again recognised that our action is the only practical way that millions of British people can get access to fair redress, they've slammed the door shut on this case by ruling that everyone affected must go to court individually.”
US REvil Bounty
The US Department of State is offering up to $10 million for the identity or location of members of the notorious REvil (Sodinokibi) ransomware syndicate.
As part of the Transnational Organized Crime Rewards Program (TOCRP), this week’s announcement offers a reward of $10 million “for information leading to the identification or location of any individual holding a key leadership position” in the criminal group, as well as up to £5 million for affiliates.
Responsible for attacks against JBS, Travelex and more, two members of the REvil syndicate have this week been arrested by Romanian law enforcement, as well as having around $6 million seized by the US authorities.
In the announcement the Department of State noted, “In offering this reward, the United States is demonstrating its commitment to protecting ransomware victims around the world from exploitation by cyber criminals, and to working with nations willing to bring those criminals to justice.”
Adding, “The Department has paid more than $135 million in rewards to date.”
The British data storage company Stor-a-File has suffered a ransomware attack in which a total of 13 organisations have been affected, six of which are healthcare related.
Occurring in August of this year, the attack on the firm is reported to have been the result of unpatched software, leading to data being leaked on the darkweb by ransomware criminals.
The Lister Fertility Clinic, which treats around 2,000 patients each year, was one of those organisations affected; having sent a letter to around 1,700 patients warning medical records including consent forms, medical history, and fertility treatment records was amongst the data breached.
In a statement Stor-a-File said, “the incident is limited to the small number of records we hold electronically. Everyone whose data may have been affected has been contacted. The millions of company and organisation records, held physically in boxes on shelves in our warehouses were unaffected.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
UK Labour party data leaked by data handler. Facebook announces end to the use of facial recognition. US Commerce Department sanctions Israel's NSO Group.
GCHQ chief warns double in ransomware attacks. “Unprecedented” VOIP cyber-attack. Teen scammer has £2 million in crypto seized.
Computer maker Acer hacked twice in a single week. Ofcom reports almost 45 million people targeted by scammers. US restricts the sale of hacking tools.
125GB of Twitch data leaked. School IT tech charged in insider threat case. EU parliament votes against A.I surveillance.
iPhone contactless flaw could allow locked phone payments. China warns crypto “seriously endanger the safety of people’s assets”. Ethereum research facing 20 years in prison.
REvil steals loot from affiliate criminals. Lithuania warns of Chinese made phones. UK MoD exposes the data of Afghan interpreters.
Irish DPA investigates TikTok data collection. NSO Group flaw fixed. Microsoft announces passwordless future.
Ragnar Locker threatens victims with possible data leaks. UK student jailed for "cynical" cyber crime. ProtonMail faces criticism.
Insider threat destroys 21GB of credit union data. Hackers leak UK firearms marketplace data. Coinbase accidentally sends 125K warning emails.
Ethical hacker rewarded with $500K after returning stolen crypto. Japanese exchange attacked. US loses $2.3 million to BEC scam.