A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2021.
How not to disclosure a Hack
UK fashion retailer FatFace angered customers in its handling of a customer data theft hack. The clothes retailer revealed a data theft which included its customer’s full names, home addresses, email addresses, and partial debit\credit card details. The payment card details included the last four digits and the card’s security verification code, the latter code is never permitted to be stored after a payment card authorisation under Payment Card Industry Data Security Standard requirements, so it would appear the business was not PCI DSS compliant at the time of their hack, which strongly suggests the business may not doing enough of the expected IT security good practices to prevent being hacked in the first place, a poor IT defence posture which appears to have even been corroborated by their hackers.
FatFace CEO Liz Evans released a statement which said “On 17th January 2021 FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation with the assistance of experienced security professionals who, following a thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorising the data potentially involved in the incident.”
Customers were said to be angered that it took FatFace over two months to notify them of the breach, under the UK Data Protection Act (GDPR), UK businesses are required by law to notify data subjects (customers) within 72 hours of learning their personal data had been compromised. Customers were said to be even further incensed that emails sent to them by FatFace were titled “Strictly private and confidential“, which they considered implied they should help FatFace cover up the breach, and there was no apology by the FatFace CEO to boot.
IT teams to implement email filtering
conduct employee phishing tests
conduct penetration testing
review Active Directory password policy
invest in better endpoint detection and response (EDR) technology, apparently recommending Cylance or VMware Carbon Black
better protect the internal network and isolate critical systems
implement offline storage and tape-based backup
All very sound advice.
More and More Ransomware Attacks
The Harris Federation, which runs 50 primary and secondary schools, and Birmingham College probably wished they had followed the alleged Conti gang’s anti-ransomware security advice after they were taken out by ransomware attacks.
The ransomware epidemic dominated the 2021 Palo Alto Networks Unit 42 Report, echoing the constant stream of IT media headlines, namely that ransomware gangs continue to evolve their tactics and operations, and are making more and more serious money. We are within a golden age of ransomware crime, and there are no signs of a rest bite. PA Unit 42 found that the average ransom paid by organisations nearly tripled over the past year, from $115,123 in 2019 to $312,493. High-end ransoms have gone up significantly too. Between 2015 and 2019, the largest-known individual ransom demand was $15 million. In 2020 groups were demanding as much as $30 million to unlock a victim’s files and systems.
Microsoft Exchange Zero-Day, Exploitations Led by Hafnium
Further information about the Exchange Server zero-day vulnerability exploitations came to light throughout March, as summarised below.
UK Gov to Ramp up Cyber Offenses and Defences
The NCF review will “set out the importance of cyber technology” to the UK’s way of life “whether it’s defeating our enemies on the battlefield, making the internet a safer place or developing cutting-edge tech to improve people’s lives.“ Basing this task force in the North of England is intended to generate economic growth in the digital and defence industries while drawing in the private sector and academia to work with the government on projects.