At a glance.
- Third-party data exposure affects the British Council.
- Inside Trickbot, running its crime like a business.
- Updates on the Pegasus controversies.
- Greek data authority levies fines for privacy missteps.
British Council student data left unsecured.
Cybersecurity firm Clario, along with security researcher Bob Diachenko, discovered an unsecured Microsoft Azure blob containing over 144,000 files of student records belonging to the British Council, an education nonprofit which promotes the international study of British culture and the English language. BleepingComputer reports that the exposed data included student names, IDs, usernames, email addresses, and other personal info. The researchers notified the British Council of the unprotected database on December 5, but after not receiving a response for forty-eight hours, they resorted to contacting the Council via Twitter. The data were finally secured on December 23.
Though Diachenko estimates that hundreds of thousands of individuals were impacted by the data breach, the British Council told SecurityWeek that the number is actually much lower. “The data in question was held and processed by a third party service provider. Approximately 10,000 records were accessible in a way that should not have occurred. On becoming aware of this, our third party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible. We are working with the supplier to ensure similar incidents do not happen in the future,” the Council stated.
Trevor Morgan, product manager with comforte AG, wrote to deplore human error and recommend tokenization:
“The British Council’s unsecured Azure blob containing up to ten thousand student records—replete with data subjects’ PII—underscores once again the fact that simple operational oversight and human error can cause big problems, especially when third parties and cloud resources are involved. While it appears that a third party which was handling and processing the information might be culpable, this does not absolve the primary organization, in this case the British Council, from ensuring that all sensitive data is fully protected at all times, especially when destined to wind up in cloud resources.
"One way to avoid this situation is always to secure data as soon as it enters your ecosystem with strong data protection in the form of tokenization or format-preserving encryption. These protection methods retain the original data format, making it easier for business applications to work with the data while still in a protected state, and without costly application customizations. That way, even if the information winds up in the wrong hands (or accidentally gets placed in a publicly accessible repository), nobody can comprehend and thus leverage the sensitive data for personal gain. No organization wants to get schooled by the fallout of an inadvertent data breach, so consider this situation a primer in the value of data protection.”
Inside the Trickbot’s inner circle.
After obtaining insider communications, Wired shares details about the future plans of Trickbot, the infamous Russian cybergang that was disrupted by US Cyber Command in 2020. The raid created only a minor hurdle for the threat group, also known as Wizard Spider, which has since expanded its operations with new-and-improved malware. Based on the gang’s messages, Trickbot’s inner circle is composed of about six criminals, each with their own specialized skill set, led by a big boss who goes by the handle "Stern." The group’s membership, which ranges from one hundred to four hundred hackers, is structured much like a traditional company, with managers who oversee lower-ranked worker bees. The messages also expose details about the gang’s recruitment process, as well as its plans to expand in the coming weeks in offices based in Saint Petersburg. Alex Holden, Trickbot expert and CEO of cybersecurity firm Hold Security, says the messages foreshadow a future where the group could become Russia’s premier cybergang. “Last year they invested more than $20 million into their infrastructure and growth of their organization,” he stated. “You expand in the hope of getting that money back in spades. It’s not like they are planning to close the shop. It’s not like they are planning to downsize or run and hide.”
Updates on the Pegasus scandal.
In the never-ending fallout from the Pegasus Project, former Mobileum employee Gary Miller alleges Pegasus surveillance software maker NSO Group offered the US mobile-security firm “bags of cash” in exchange for access to the SS7 global cellular network. The Washington Post explains that the SS7 network helps cellular companies route roaming calls and services. Companies like NSO use access to such cellular networks in order to obtain the geolocation of a surveillance target, and it’s up to companies like Mobileum to prevent such tracking by restricting access to the network. Miller shared his allegations with US Representative Ted Lieu (Democrat, California 33rd), who has requested an investigation by the Department of Justice (DOJ). When asked for response, NSO said that it had “never done any business with” Mobileum, that it “does not do business using cash as a form of payment,” and it is not “aware of any DOJ investigation.”
Meanwhile, as we noted previously, recent reports in the Israeli media allege that Israeli police have been using NSO Group’s Pegasus software to hack the devices of Israeli civilians and activists. Police officials initially denied the claims, stating that a preliminary internal investigation had found no evidence of misuse. However, Security Week reports that Israel’s national police force yesterday disclosed that a secondary inspection “found additional evidence that changes certain aspects of the state of affairs.” In response, Israel’s outgoing attorney general Avichai Mandelblit has instructed the police “to adopt procedures immediately in order to prevent breach of authority,” and requested a report on the surveillance activity from his fact-finding team by July 1.
Greek DPA fines major telecom for customer data breach.
Bleeping Computer reports that the Greek data protection authority has imposed fines of 5,850,000 EUR to COSMOTE and 3,250,000 EUR to OTE, telecoms owned by Greece’s largest technology company OTE, for the exposure of sensitive customer data during a cyberattack. The authority says COSMOTE violated at least eight articles of the GDPR, including failing to inform customers of the full impact of the breach. The 2020 attack occurred when a threat actor obtained an employee’s account credentials through a social engineering scam on LinkedIn, then used the credentials to access OTE’s servers on five separate occasions and steal database files. The data of millions of subscribers were compromised, and a subsequent investigation conducted by the data protection authority revealed that the attack was aided by failures in OTE’s data anonymization and storage processes.