InfoSec Round-Up: October 11th 2020
HMRC Phishing, H&M Fined €35m & UK DfE ICO Report
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
HMRC Received 500K Malicious Emails
Her Majesty’s Revenue and Customs (HMRC) has, between June and September, received over 521,000 malicious emails, around 128,000 of which were classified as phishing.
According to reports, around 72% of malicious emails received were spam and junk, 24.5% phishing, and almost 3% contained malware.
Amounting to over 5600 malicious emails per day, HMRC is a favourite of online scammers. Commonly exploited by criminals, attackers regularly impersonate the organisation and target members of the public with promises of tax refunds etc.
Though malicious emails may seem relatively innocuous and easily avoided, it is thought that around 32% of all breaches still involve some form of phishing element and with the recent Covid pandemic, there has also been a huge boom for scammers exploiting the crisis.
Product Director here at Hut Six, Pratteek Bathula, had this to say:
“Unfortunately, as with all social engineering, the most effective attacks are those which leverage emotional and current events such as an overdue tax return or the COVID pandemic. The only defence an unwitting individual has against these attacks is to ensure that they view every alarming message or communication with a cool head and treat the message as suspicious until they can prove otherwise.”
US Treasury Bans Ransomware Payments
Published on the 1st of October, the US Treasury has issued an advisory warning companies that they could be fined for facilitating or paying ransoms to online cyber-gangs.
The advisory states: "Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."
The U.S Department of the Treasury’s Office of Foreign Assets Control (OFAC), also iterated that Americans are prohibited from engaging in transactions with entities on the office's Specially Designated Nationals and Blocked Persons List (SND), or embargoed regions, such as Ukraine, Iran and North Korea.
With many ransomware attacks thought to be emanating from state actors (in particular NK), entities may also be held liable “even if [they] did not know or have reason to know [they were] engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC."
The warning comes as a further reminder that robust information security practices cannot be substituted with post-hoc solutions, noting "paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data."
UK Department for Education Fails to Meet GDPR Standards
The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has this week published the less-than-perfect results of an audit into the Department for Education (DfE).
Carried out earlier this year, the investigation has found that data protection was “not being prioritised”, highlighting a total of 139 recommendations for improvement, over 60% of which are classified as urgent.
The report stated of the DfE’s data practices: “There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE, which along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR”.
As well as citing “internal cultural barriers”, the report noted that the DfE only provides very limited training to staff in matters of data protection and governance, risk management, information security and individual rights, and “in some cases there is no assurance that staff are receiving any training whatsoever”.
H&M Fined €35m
The fashion retailer H&M has, after an investigation into its Nuremberg service centre, been fined a monumental €35m, or £32.1m, for the illegal surveillance of hundreds of members of staff.
The investigation, which was launched after a 2019 data breach exposed the extent of the company’s data collection, uncovered what the head of the German data authority, Johannes Casper described as a “gross disregard” for data protection rules.
The records kept by the company were deemed by the Hamburg Data Protection Authority (HmbBfDI), to be “excessive”, with the company recording information relating to, amongst other things, member of staff’s families, religious beliefs and health.
The fine imposed on Hennes & Mauritz AB (H&M) is reported to be the largest levied against a company for GDPR violations involving employee data.
In a statement, the company said they take “full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg,” as well as noting that all those “currently employed at the service centre, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.
What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.
Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.