InfoSec Round-Up: October 25th 2020

BA Fined, Instagram Investigated, Darkside Donations & PayPal Crypto

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

British Airways Fined £20 Million

BA has been hit with a £20m fine by the UK’s Information Commissioner’s Office (ICO) following a 2018 data breach which affected over 400,000 customers.

The incident, which went unnoticed for several months, was conducted by the loosely knit criminal gang known as Magecart; targeting payment information via the BA website and harvesting both personal and credit card data.

Considerably smaller than the £183m fine originally proposed back in 2019, the data protection authority noted that they took into consideration the economic impact of COVID-19 before settling upon £20m.

A spokesperson for BA noted on the ICO’s investigation, “we are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”

Information Commissioner Elizabeth Denman stated on the matter: "When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security".

Investigation into Instagram’s Handling of Children’s Data

Ireland’s Data Protection Commissioner (DPC) has launched an investigation into Instagram’s handling of underage users’ personal data.

The investigation comes admit claims that the platformed failed to protect data, including email addresses and phone numbers of users under the age of 18, and could lead to significant fines for the Facebook owned platform.

With headquarters located in Dublin, Ireland, Facebook will have its legal basis for processing children’s personal data investigated by the authority, as well as weather it employs “adequate protections and or restrictions on the Instagram platform for such [sic] children.”

In 2018, Facebook was issued with the then maximum fine of £500,000 for the inadequate protection of the personal information of users; a fine which if based on a post-GDPR incident, could have theoretically cost the company €20 million.

Read More: What is the Punishment for Breaking the Data Protection Act?

Graham Doyle, a deputy commissioner with DPC said on the matter, "Instagram is a social network that is widely used by children in Ireland and across Europe… the DPC has been actively monitoring complaints received from individuals… and has identified potential concerns in relation to the processing of children's personal data on Instagram, which requires further examination."

Cyber-Criminals Donate $10,000 in Bitcoin to Charities

It has been reported that cyber-criminal gang, Darkside, has donated thousands of dollars’ worth of bitcoin to charities Children International and The Water Project.

The two US charities received the funds anonymously via donations platform The Giving Block, though the group behind the cash announced their deeds on a darknet website, stating, “no matter how bad you think our work is, we are pleased to know that we helped change someone’s life”.

According to the law when donations are derived from criminal activity, charities cannot accept them, with one of the charities already publicly stating, “if the donation is linked to a hacker, we have no intention of keeping it.”

Why the donations were publicly announced is unclear, though the group does apparently maintain a set of ‘ethical principles’ when it comes to their criminality, generouslyrefraining from attacking hospitals, schools, governments or charities.

Security specialist at Comparitech, Brian Higgins, noted on the matter: “Firstly, $10,000 is a paltry sum in comparison to the vast amounts of money they’ve extorted from their victims… it’s hardly a grand philanthropic gesture and, secondly, no credible charity is ever going to accept donations which are demonstrably the proceeds of crime.”

PayPal Announces it Will Process Cryptocurrency

The payment systems company PayPal has announced it will be entering the crypto market by allowing their users to soon buy and sell, amongst other digital currencies, Bitcoin, Ethereum and Litecoin.

Causing a spike in the value of Bitcoin and PayPal’s share price, according to the company statement, the move will “significantly increase cryptocurrency's utility by making it available as a funding source for purchases at its 26 million merchants worldwide.”

Granted a conditional “Bit license” by the New York State Department of Financial Services, PayPal is looking to roll out this function within the next year.

Though still relatively niche, and frequently associated with illicit activity, PayPal CEO Dan Schulman said in the statement "The shift to digital forms of currencies is inevitable, bringing with it clear advantages in terms of financial inclusion and access; efficiency, speed and resilience of the payments system”.

Despite the companies optimism, David Gerard, a blockchain author, is sceptical about the move, stating: "I don't expect much of a market for this beyond existing crypto holders... I'm baffled that PayPal would offer this, and it's not clear what they're trying to do here."

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.