Cybersecurity round up May 2022

May was a bumper month for data record breaches, with 49.8 million records breached across 77 incidents, compared with 14 million across 80 incidents in April. Most of the incidents in May were global, but UK-specific reports have related to human error.

Verizon releases annual data breach report

Verizon has released its annual data breach report highlighting that:
😔 82% of breaches have a human aspect – this is why cyber training is essential
📈 13% increase in ransomware breaches, which is an increase larger than the previous five years combined
⚠️ 62% of incidents involving system intrusion, came as a result of supply chain compromise. In related news, the National Cyber Security Centre has joined international partners to release supply chain guidance.

Three separate UK data breaches result from employee action

University of Essex | Cornwall Council | Central Bedfordshire Council

May was a month for highlighting the value of employee training, alongside system safeguards to protect against data breaches. The University of Essex revealed that a breach back in March occurred after a third-party supplier attached a spreadsheet containing student IDs, dates of birth and contact details to an email. The email was actually requesting payment for repairs to a door, but included the spreadsheet containing student data. Next up, Cornwall Council accidentally published the personal contact details of five school children, in their public meeting minutes. The details were published in full accidentally, due to human error, and included the children’s details as an agenda item discuss appeals made by parents in relation to school transport. Finally, Central Bedfordshire Council has been labelled “incompetent” by the parents of a number of Special Educational Needs (SEN) students, after issuing the data in response to a freedom of information request. Human error is the weakest link in the cybersecurity chain, resulting in accidental and deliberate releases of data that should not be publicly available. As we reported last month, it was the number one cause of incidents last year. Cyber security training can do a lot to improve employee performance and reduce risks, and there are also a number of security features which can monitor for and enhance security against data breaches.

Ikea Canada also notified officials of an employee-led breach in May, after the personal details of 95,000 customers appeared in a “generic search” by an employee of their customer database. Details of the search and its objective, have not been revealed, but included customer names, email address, phone numbers and postal codes, and potentially their loyalty programme number as well.

Canada proposes G7 Cyber Incident team

In the wake of news that the Ukraine invasion was preceded by a series of cyber attacks, Canada has proposed the launch of a G7 cyber security team, to provide quick response reactions to threats, and to pool knowledge and resources.

NewProfilePic.com app warning

Experts have issued a warning over the data privacy and security of the NewProfilePic app, which turns users’ profile pictures into digital artworks for use on social media. It comes after it was revealed that the app is registered in Russia, and is sending massive amounts of data back into the country, with no obvious reason.

Ukraine conflict exploited by fraudsters

Hundreds of scam websites have been launched and identified, seeking to exploit those looking to donate to the Ukraine crisis. Some have used the branding of established charities such as Save The Children, while others have created their own small-scale “campaigns” that don’t really exist. Many of the scams use emotionally-charged language, including pretending to be real people in Ukraine in need of help. It is essential that users double check the validity of sites, and follow official links such as the Disasters Emergency Committee to make donations.

Twitter fined for selling data

While it is not strictly a case of leaked data, The Federal Trade Commission (FTC) and the Department of Justice have fined Twitter $150million (circa £119million) stating it has violated regulatory agreements after selling user data to advertisers. It had promised not to share personal details such as phone numbers and email addresses, but did in fact share them with advertisers.

Five years on, Wannacry impact assessed on the NHS

Five years ago in May, the Wannacry ransomware exploited vulnerabilities in Microsoft operating systems. Despite Microsoft releasing security patches, it had a significant impact, most notably in the NHS, after users failed to update their software security, or were using OS such as Microsoft XP which were end of life. For the NHS specifically, academics have released new analysis of the impact and found that:
⬇️ there was a 6% decrease in admissions in the infected hospitals (1,100 fewer emergency department (ED) admissions and 2200 fewer elective admission)
😷 3,800 fewer patients were seen in emergency departments
❌ 13,500 appointments were cancelled
💷 overall estimated cost was £5.9 m in lost resources and productivity.

Pro-Russian Hackers attempted to disrupt Eurovision Song Contest

In an act of “Hacktivism”, pro-Russian hackers attempted, but failed, to disrupt the airing of the Eurovision song contest. Russia-allied hacking group Killnet attacked Eurovision’s network infrastructure in Turin, Italy, but were rebuffed by responses from law enforcement agencies.

Fraudster convicted after US Department of Defence tricked into paying $23.5million

The Department of Justice has convicted Sercan Oyuntur, a Californian resident who managed to divert payments from the US Department of Defence to his personal bank account. The payments were originally destined for a jet fuel supplier, and were intercepted through a phishing scam in 2018. Oyuntur and his conspirators registered the domain “dia-mil.com”, which is very similar to the legitimate “dla.mil, and used it to send phishing emails, which included links to a cloned login.gov website, used to access a vendor database. Users inadvertently fell for the scam, entering account details, which ultimately resulted in transfer to bank accounts belonging to Oyuntur.

Lockbit Ransomware interrupts German Library Service

Germany library system EKZ Bibliotheksservice has become the latest victim of the Lockbit ransomware, after it deployed through the system and prevented members from borrowing digital titles, including ebooks, audio books, and digital maagazines.