This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Amazon Suffers Insider Data Breach

It has been reported that Amazon has informed a number of users regarding a data breach involving employees sharing user data with an unnamed third party.

In the last several days, and following the receipt of notification emails, affected Amazon users took to Twitter in an attempt to understand the details and extend of the breach.

In the email, Amazon stated: ” your e-mail address was disclosed by an Amazon employee to a third-party in violation of our policies. As a result, we have fired the employee, referred them to law enforcement, and are supporting law enforcement criminal prosecution”.

Though not the most commonly reported form of information security breach, around 70% of organisations observe that insider attacks are becoming more common, with the average cost of such a breach rising from $8.76 million in 2018 to $11.45 million in 2020.

This is not the first incident like this that Amazon has had to deal with. In January, the company let go a number of employees for disclosing email addresses and phone numbers.  The company is yet to disclose how many users have been affected.

Psychotherapy Clinic Patients Blackmailed

The records of around 300 Finnish psychotherapy patients have been published on the dark web following a breach that likely occurred several years earlier.

In a public statement, the Helsinki-based clinic announced “Psychotherapy Center Vastaamo has been the victim of data breaches and blackmail,” adding: “In recent days, the blackmailer has published sections of the information he obtained during the hacking. Now the blackmailer has begun to approach the victims of the breach with blackmail letters demanding a ransom.”

The data, consisting of highly sensitive therapist session notes, was stolen in attacks occurring in November of 2018 and March 2019, and is being used to extort numerous patients, with the clinic itself reportedly being held to a further ransom of €450,000.

One victim, Jere, explained that the attacker, who refers to themselves as “the random guy” had demanded €500 in Bitcoin under threat of releasing sessions notes completed when the victim was a teenager.

With the President of Finland Sauli Niinisto labelling the attack as “cruel”, “repulsive” and “shocking in many ways”, security researcher Nikko Hypponen noted of the incident that “I am not aware of any such case anywhere in the world with such gross misuse of patient records.”

ICO Hits Experian with Enforcement Action

This week, the UK’s Information Commissioner’s Office (ICO) has announced that credit reference company Experian has been sharing the personal information of millions of people without proper consent.

Reportedly selling on data to third parties, including political parties, the company has been ordered by the ICO to make “fundamental changes” to how it handles data, or face fines.

The enforcement notice, which follows a two-year ICO investigation, states that several credit reference agencies (CRAs) including Experian, Equifax and TransUnion, were “trading, enriching and enhancing people’s personal data without their knowledge”, constituting a violation of data protection law.

Noting that Equifax and TransUnion have made the requisite improvements and would not face further action, the data watchdog added that Experian “did not go far enough” and “did not accept that they were required to make the changes set out by the ICO”.

Expressing their intent to appeal, Experian stated: “We believe the ICO [Information Commissioner’s Office]’s view goes beyond the legal requirements.” Adding, “this interpretation also risks damaging the services that help consumers, thousands of small business and charities, especially as they try to recover from the Covid-19 crisis.”

Vaccine Maker Suffers Cyber-Attack

An Indian pharmaceutical company has had operations halted at several global facilities following a significant ransomware attack.

Dr Reddy’s, which is in the process of producing potential COVID-19 treatments, including Russia’s Sputnik-V vaccine, announced the news to a 4% fall in stock prices earlier this week, initially revealing little in the way of details.

Though whether the attackers’ motivation was purely monetary or was intended to steal data is unclear, the attack forced the temporary shut down of some of Dr Reddy’s production facilities and the precautionary isolation of data centres.

In an update of the situation, Dr Reddy’s announced “we experienced an information security incident and consequently isolated the impacted IT services. This incident involved a ransomware attack.” Going on to say, “our investigation has not ascertained if any data breaches in the incident pertain to personally identifiable information.”

Just the latest attack on vaccine research facilities, COVID-19 related information currently represents perhaps the world’s most highly prized intellectual property.

In July, UK Security Minister James Brokenshire specifically called-out the Russian government, stating, “It’s just completely unacceptable when we have organisations that are working so incredibly hard in our Covid response… that agents linked to the Russian state should have taken action to try and steal intellectual property.”

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.