Learning from breaches in the news

Website Banners (1)
For financial professionals only

Information security never ceases to be a hot topic.  Here, Sarah Coles looks at three recent breaches and shares her takeaways on how you can stay protected.

Transport for London (TfL) confirms 5,000 users' bank data exposed 

Last month, Transport for London (TfL) faced a sophisticated cyberattack that caused significant disruption. A 17-year-old has been arrested, and bailed, on suspicion of Computer Misuse Act offences.

The attack affected TfL's website, including its Dial-a-Ride system which supports passengers with disabilities. Customers were also unable to apply for new Oyster photocards, access live Tube updates or their travel histories. 30,000 TfL staff now need to reset their credentials to regain system access, via in-person appointments.

While the attack didn’t directly affect the transport network itself, the recovery process has been slow and ongoing.  TfL confirmed the personal data of around 5,000 customers, including their bank details, had been compromised, and that they will contact affected customers as soon as possible.

Recommendations

  • Sign up to haveibeenpwned to get an early warning for when you’ve been breached. It’s likely your information will be sold online before a company notifies you. That way you can act fast to update your information, like where you’ve reused passwords
  • If you don’t already, add additional protection, such as Multi-Factor Authentication to your account

Sextortion scams now use your "cheating" spouse’s name as a lure 

You might have received an email in the past claiming that your computer was hacked, and you were recorded on the webcam in compromising situation, asking for payment for the video to be deleted.  There may also be one of your previously used passwords included to make the claim more believable.  This is a common sextortion scam that’s done the rounds for a while. But it’s since been updated to claim to have evidence of cheating spouses.

Now scammers are sending messages, often through email or text, claiming to have evidence of infidelity, such as photos, videos, or private conversations. To view this so-called "evidence," victims are asked to click on a link or make a payment.

The link usually leads to malicious websites that steal personal information, download malware, or demand further ransom. This scam preys on people’s emotions, hoping to provoke panic and rash actions.

Recommendations

  • Ignore these types of messages, don’t click on links, or download files that you aren’t expecting. 
  • If you receive a message referencing a password, its likely this has been stolen in a breach and sold online. If you are still using this password, you should replace it on any sites as soon as possible.  Better yet, use multi-factor authentication, so that if your password is compromised, the attacker needs an additional piece of information before they can access your account.  

Disney ditching Slack after massive July data breach 

Disney suffered a data breach this year when the “Hacktivist” group NullBulge, leaked a whopping 1.1 terabytes of data from Disney’s internal workplace communications platform, Slack. Hacktivist motivations are to spread political or social agendas or expose secrets and sensitive information. In this case, the motivation for NullBulge was Disney’s use of AI to generate some of its artwork. According to a NullBulge post on a data leak marketplace, Breachforums, the data included unannounced projects, raw images and code, login credentials, internal web pages and more, spanning more than 44 million messages.

Now Disney’s Chief Financial Officer has confirmed they’ll stop using Slack later this year amid cybersecurity concerns.

Last year, global casino MGM resorts, were also hacked, with the threat actor gaining access to Slack channels.

Recommendations

  • Carry out due diligence on your key/high risk suppliers before onboarding, and then annually thereafter.  Having a set of questions to ask your suppliers makes sure you gain confidence over their ability to protect your data. Including a quick Google search of the company and terms such as ‘cyber breach’ ‘cyber security incident’ can highlight previous incidents.
  • If you need help with the types of questions to ask, review the top 10 cyber security questions to ask your vendors [4] for a quick introduction or the National Cyber Security Centre supplier questions [5] for more detail.