Security News for the Week Ending January 17, 2020
Orphaned Data in the Cloud
Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies. Many of the firms involved are no longer in business.
The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.
For people who were affected, if these companies are out of business, there is no one to sue. Under GDPR, it is unclear who the government can go after if the companies no longer exist. I suspect that the problem of orphaned data is only going to become a bigger problem over time. This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers. Another reason to get a better handle on where your data is stored. Source: UK Computing
Ransomware 2.0 Continues and Expands
I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks. While we saw threats in the past, we did not see any follow through. In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.
However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data. REvil is the ransomware that is afflicting Travelex.
Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack. Backups are no longer sufficient. Source: Bleeping Computer
The Travelex Saga (Continued)
FRIDAY January 17, 2019
Travelex says that the first of its customer facing systems in Britain is now back online. The automated ordering system that some of its bank customers use is now working, but its public web site is still down. Virgin Money, Tesco Bank and Barclays still say their connections are down. Source: Reuters
WEDNESDAY January 15, 2019
Likely this incident falls under the purview of GDPR and the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window. Travelex says that no customer data was compromised in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them). When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.” Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now. If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr. Their revenue is estimated to be around $1.5 billion. That of course, is just one of the costs. Their public web site is still down and has been down for 16 days now. Source: UK Computing
MONDAY January 13, 2019
Travelex says that they are making good progress with their recovery, whatever that means. They say that services will be restored soon. Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid. Source: ZDNet
Nemty Ransomware Joins the Ransomware 2.0 Crowd
The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day. Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them. Backups are no longer sufficient. Source: SC Magazine
RE Travelex
Maybe in this case, Travelex is right…maybe the data was not exfiltrated since nothing was released on the 14th.
Or…negotiations continue in the background.
I suspect they paid.