InfoSec Round-Up: October 11th 2020

Play Video

HMRC Phishing, H&M Fined €35m & UK DfE ICO Report

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

HMRC Received 500K Malicious Emails

Her Majesty’s Revenue and Customs (HMRC) has, between June and September, received over 521,000 malicious emails, around 128,000 of which were classified as phishing.

According to reports, around 72% of malicious emails received were spam and junk, 24.5% phishing, and almost 3% contained malware.

Amounting to over 5600 malicious emails per day, HMRC is a favourite of online scammers. Commonly exploited by criminals, attackers regularly impersonate the organisation and target members of the public with promises of tax refunds etc.

Though malicious emails may seem relatively innocuous and easily avoided, it is thought that around 32% of all breaches still involve some form of phishing element and with the recent Covid pandemic, there has also been a huge boom for scammers exploiting the crisis.

Product Director here at Hut Six, Pratteek Bathula, had this to say:

“Unfortunately, as with all social engineering, the most effective attacks are those which leverage emotional and current events such as an overdue tax return or the COVID pandemic. The only defence an unwitting individual has against these attacks is to ensure that they view every alarming message or communication with a cool head and treat the message as suspicious until they can prove otherwise.”

US Treasury Bans Ransomware Payments

Published on the 1st of October, the US Treasury has issued an advisory warning companies that they could be fined for facilitating or paying ransoms to online cyber-gangs.

The advisory states:  "Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."

The U.S Department of the Treasury’s Office of Foreign Assets Control (OFAC), also iterated that Americans are prohibited from engaging in transactions with entities on the office's Specially Designated Nationals and Blocked Persons List (SND), or embargoed regions, such as Ukraine, Iran and North Korea.

With many ransomware attacks thought to be emanating from state actors (in particular NK), entities may also be held liable “even if [they] did not know or have reason to know [they were] engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC."

The warning comes as a further reminder that robust information security practices cannot be substituted with post-hoc solutions, noting "paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data."

UK Department for Education Fails to Meet GDPR Standards

The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has this week published the less-than-perfect results of an audit into the Department for Education (DfE).

Carried out earlier this year, the investigation has found that data protection was “not being prioritised”, highlighting a total of 139 recommendations for improvement, over 60% of which are classified as urgent.

The report stated of the DfE’s data practices: “There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE, which along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR”.

As well as citing “internal cultural barriers”, the report noted that the DfE only provides very limited training to staff in matters of data protection and governance, risk management, information security and individual rights, and “in some cases there is no assurance that staff are receiving any training whatsoever”.

H&M Fined €35m

The fashion retailer H&M has, after an investigation into its Nuremberg service centre, been fined a monumental €35m, or £32.1m, for the illegal surveillance of hundreds of members of staff.

The investigation, which was launched after a 2019 data breach exposed the extent of the company’s data collection, uncovered what the head of the German data authority, Johannes Casper described as a “gross disregard” for data protection rules.

The records kept by the company were deemed by the Hamburg Data Protection Authority (HmbBfDI), to be “excessive”, with the company recording information relating to, amongst other things, member of staff’s families, religious beliefs and health.

The fine imposed on Hennes & Mauritz AB (H&M) is reported to be the largest levied against a company for GDPR violations involving employee data.

In a statement, the company said they take “full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg,” as well as noting that all those “currently employed at the service centre, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


UKGDPR Compliance

What is GDPR Compliance UK?

What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.

DDoS Attack

What is a DDoS Attack?

What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.

How GDPR Relates to you Personally

Does GDPR Apply to Individuals?

Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security

Paper Records and Data Protection Law

Does GDPR Cover Paper Records?

Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.

Security Check for your Organisation

How Secure is My Organisation?

How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.

Ransomware Propagation

How Does Ransomware get on your Computer?

How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.

Auditing for GDPR Compliance - Guest Blog

Guest Blog: How to Audit Your Business for GDPR Compliance

How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by

The Data Protection Act - Personal Data Breaches

What is a Breach of Data Protection?

What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security

Ransomware in the Education Sector

University Hit With $1.14m Ransomware Attack

University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.

Purpose of the Data Protection Act

What is the Purpose of the Data Protection Act?

What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.

Speak to us about your Cyber Awareness