InfoSec Round-Up: October 25th 2020
BA Fined, Instagram Investigated, Darkside Donations & PayPal Crypto
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
British Airways Fined £20 Million
BA has been hit with a £20m fine by the UK’s Information Commissioner’s Office (ICO) following a 2018 data breach which affected over 400,000 customers.
The incident, which went unnoticed for several months, was conducted by the loosely knit criminal gang known as Magecart; targeting payment information via the BA website and harvesting both personal and credit card data.
Considerably smaller than the £183m fine originally proposed back in 2019, the data protection authority noted that they took into consideration the economic impact of COVID-19 before settling upon £20m.
A spokesperson for BA noted on the ICO’s investigation, “we are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
Information Commissioner Elizabeth Denman stated on the matter: "When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security".
Investigation into Instagram’s Handling of Children’s Data
Ireland’s Data Protection Commissioner (DPC) has launched an investigation into Instagram’s handling of underage users’ personal data.
The investigation comes admit claims that the platformed failed to protect data, including email addresses and phone numbers of users under the age of 18, and could lead to significant fines for the Facebook owned platform.
With headquarters located in Dublin, Ireland, Facebook will have its legal basis for processing children’s personal data investigated by the authority, as well as weather it employs “adequate protections and or restrictions on the Instagram platform for such [sic] children.”
In 2018, Facebook was issued with the then maximum fine of £500,000 for the inadequate protection of the personal information of users; a fine which if based on a post-GDPR incident, could have theoretically cost the company €20 million.
Graham Doyle, a deputy commissioner with DPC said on the matter, "Instagram is a social network that is widely used by children in Ireland and across Europe… the DPC has been actively monitoring complaints received from individuals… and has identified potential concerns in relation to the processing of children's personal data on Instagram, which requires further examination."
Cyber-Criminals Donate $10,000 in Bitcoin to Charities
It has been reported that cyber-criminal gang, Darkside, has donated thousands of dollars’ worth of bitcoin to charities Children International and The Water Project.
The two US charities received the funds anonymously via donations platform The Giving Block, though the group behind the cash announced their deeds on a darknet website, stating, “no matter how bad you think our work is, we are pleased to know that we helped change someone’s life”.
According to the law when donations are derived from criminal activity, charities cannot accept them, with one of the charities already publicly stating, “if the donation is linked to a hacker, we have no intention of keeping it.”
Why the donations were publicly announced is unclear, though the group does apparently maintain a set of ‘ethical principles’ when it comes to their criminality, generouslyrefraining from attacking hospitals, schools, governments or charities.
Security specialist at Comparitech, Brian Higgins, noted on the matter: “Firstly, $10,000 is a paltry sum in comparison to the vast amounts of money they’ve extorted from their victims… it’s hardly a grand philanthropic gesture and, secondly, no credible charity is ever going to accept donations which are demonstrably the proceeds of crime.”
PayPal Announces it Will Process Cryptocurrency
The payment systems company PayPal has announced it will be entering the crypto market by allowing their users to soon buy and sell, amongst other digital currencies, Bitcoin, Ethereum and Litecoin.
Causing a spike in the value of Bitcoin and PayPal’s share price, according to the company statement, the move will “significantly increase cryptocurrency's utility by making it available as a funding source for purchases at its 26 million merchants worldwide.”
Granted a conditional “Bit license” by the New York State Department of Financial Services, PayPal is looking to roll out this function within the next year.
Though still relatively niche, and frequently associated with illicit activity, PayPal CEO Dan Schulman said in the statement "The shift to digital forms of currencies is inevitable, bringing with it clear advantages in terms of financial inclusion and access; efficiency, speed and resilience of the payments system”.
Despite the companies optimism, David Gerard, a blockchain author, is sceptical about the move, stating: "I don't expect much of a market for this beyond existing crypto holders... I'm baffled that PayPal would offer this, and it's not clear what they're trying to do here."
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.
What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.
Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security
Who Does GDPR Apply To? And Other Data Protection Questions/ Information Security blog by Information security awareness provider Hut Six Security.
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.