InfoSec Round-Up: November 29th

€50M Ransomware Attack, Spotify Details Exposed & Man-United Breach

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Bristol Council Data Breach

Bristol City Council has shared the names and identities of hundreds of families with disabled children in what one affected party has referred to as “a fundamental breach of trust and data.”

The local council reportedly sent an email to the individuals asking for views on new support services, with the names of children, and email addresses of primary carers visible to all recipients.

The council director responsible for children and families, Ann James has apologised for the upwards of 487 identities that were revealed, asking all who received the email to delete it.

An affected parent, who wishes to remain anonymous said of the breach, “Ironically, it's about a survey that they want us to fill in to tell them how they can improve their services.” Adding, “it's very difficult to put into words how ridiculous and unnecessary it is."

A spokesperson for Bristol City Council responded, “we have been in contact with those affected and have apologised… Where staff have made a mistake the matter is addressed as a training issue, and where there have been failures in policy or process any necessary changes are made to reduce the risk of a similar incident occurring in the future.”

Manchester United Cyber Attack

Manchester United football club has confirmed that it has been hit with a cyber-attack and is currently working to minimise ongoing disruption to its IT systems.

In a statement published over the weekend, the football club did not elaborate regarding the nature of the attack, stating only that it was the efforts of a sophisticated operation by organised cyber criminals.

Noting that their website, mobile app, and planned events are unaffected, the club also stated that they are unaware of any breach of personal data associated with either their fans or customers.

According to data published by the UK’s NCSC, at least 70% of surveyed sports organisations have experience at least one cyber incident; with 30% reporting more than five in the last twelve months. The average cost per incident now costing the sector over £10,000.

Working with the Greater Manchester Police, the club stated they had, “extensive protocols and procedures in place for such an event and had rehearsed for this risk.” Adding, their “cyber defences identified the attack and shut down affected systems to contain the damage and protect data.”

Sopra Steria Attack to Cost €50 Million

French IT services company Sopra Steria has revealed that a ransomware attack that occurred back in October will cost the company somewhere between €40 and €50 million.

The information technology giant, which employs 46,000 members of staff and provides services to clients such as the UK’s NHS, was reportedly hit with a strain of the Ryuk ransomware virus, the same malware responsible for the attack against Universal Health Services (UHS) which affected up to 400 health care facilities.

Having done its best to block the attack, Sopra Steria has stated that it has not identified any data leaks or any effect upon its customers’ information systems, despite recovery from the attack taking over a month.

Coming at a significant cost, the company announced, "The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between €40 million and €50 million." Noting that around €30 million would be covered by cyber insurance.

Spotify Users Details Exposed

Security researchers have discovered an exposed cloud database containing 72GB of email addresses, countries of residence and usernames and passwords for Spotify users.

Originally discovered and reported by researchers at vpnMentor back in July, of the upwards of 380 million records found, it is estimated that there are around 300,000 – 350,000 affected users.

Thought to be illegally obtained as part of a ‘credential stuffing’ campaign, the information could have been used as in a variety of online scams, including phishing, illegal account sales or even identity theft.

Responding swiftly to the notification, Spotify initiated a ‘rolling reset’ of passwords for affected accounts, thus voiding the damage that could be caused with the stolen information.

Harvested and compiled by unknown parties, the researchers behind the discovery noted a contributing factor to the database as “the pervasive use of weak passwords by so many consumers online.” Adding, “companies cannot prevent this from occurring since they do not control the passwords that consumers use.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.