InfoSec Round-Up: October 11th 2020

HMRC Phishing, H&M Fined €35m & UK DfE ICO Report

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

HMRC Received 500K Malicious Emails

Her Majesty’s Revenue and Customs (HMRC) has, between June and September, received over 521,000 malicious emails, around 128,000 of which were classified as phishing.

According to reports, around 72% of malicious emails received were spam and junk, 24.5% phishing, and almost 3% contained malware.

Amounting to over 5600 malicious emails per day, HMRC is a favourite of online scammers. Commonly exploited by criminals, attackers regularly impersonate the organisation and target members of the public with promises of tax refunds etc.

Though malicious emails may seem relatively innocuous and easily avoided, it is thought that around 32% of all breaches still involve some form of phishing element and with the recent Covid pandemic, there has also been a huge boom for scammers exploiting the crisis.

Product Director here at Hut Six, Pratteek Bathula, had this to say:

“Unfortunately, as with all social engineering, the most effective attacks are those which leverage emotional and current events such as an overdue tax return or the COVID pandemic. The only defence an unwitting individual has against these attacks is to ensure that they view every alarming message or communication with a cool head and treat the message as suspicious until they can prove otherwise.”

US Treasury Bans Ransomware Payments

Published on the 1^st of October, the US Treasury has issued an advisory warning companies that they could be fined for facilitating or paying ransoms to online cyber-gangs.

The advisory states:  "Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."

The U.S Department of the Treasury’s Office of Foreign Assets Control (OFAC), also iterated that Americans are prohibited from engaging in transactions with entities on the office's Specially Designated Nationals and Blocked Persons List (SND), or embargoed regions, such as Ukraine, Iran and North Korea.

With many ransomware attacks thought to be emanating from state actors (in particular NK), entities may also be held liable “even if [they] did not know or have reason to know [they were] engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC."

The warning comes as a further reminder that robust information security practices cannot be substituted with post-hoc solutions, noting "paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data."

UK Department for Education Fails to Meet GDPR Standards

The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has this week published the less-than-perfect results of an audit into the Department for Education (DfE).

Carried out earlier this year, the investigation has found that data protection was “not being prioritised”, highlighting a total of 139 recommendations for improvement, over 60% of which are classified as urgent.

The report stated of the DfE’s data practices: “There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE, which along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR”.

As well as citing “internal cultural barriers”, the report noted that the DfE only provides very limited training to staff in matters of data protection and governance, risk management, information security and individual rights, and “in some cases there is no assurance that staff are receiving any training whatsoever”.

H&M Fined €35m

The fashion retailer H&M has, after an investigation into its Nuremberg service centre, been fined a monumental €35m, or £32.1m, for the illegal surveillance of hundreds of members of staff.

The investigation, which was launched after a 2019 data breach exposed the extent of the company’s data collection, uncovered what the head of the German data authority, Johannes Casper described as a “gross disregard” for data protection rules.

The records kept by the company were deemed by the Hamburg Data Protection Authority (HmbBfDI), to be “excessive”, with the company recording information relating to, amongst other things, member of staff’s families, religious beliefs and health.

The fine imposed on Hennes & Mauritz AB (H&M) is reported to be the largest levied against a company for GDPR violations involving employee data.

In a statement, the company said they take “full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg,” as well as noting that all those “currently employed at the service centre, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.