Learning from breaches in the news

Breaches Article 1200X673px

This is our latest article in a series putting the spotlight on Information Security. Here, Sarah Coles looks at 3 recent newsworthy breaches with her takeaways on how to stay protected.

Capita, the UK’s largest outsourcing provider, confirms cyber attack

What happened?

Capita confirmed a recent IT outage was the result of a cyber-attack preventing access to its internal Microsoft Office 365 applications. Capita provides services to the Government, BBC, and UK military amongst others, collecting over £6.5 billion in annual contracts.

An interview with Capita’s CEO in The Times said the incident began at 5am on Friday 31st March, and it was clear by 7am that the outage was caused by ransomware[1]. However, a Times reporter tweeted earlier that day that Capita had confirmed it was ‘too early to say if it’s a cyber security attack’ [2]. This position continued until day 3, when Capita updated their website stating there was “no evidence of customer, supplier or colleague data having been compromised” [3]. Just over a week later, the Russian-linked ransomware group Black Basta listed Capita as one of its recent victims and advertised their data for sale on its website. This apparently includes Capita clients’ bank details, phone numbers, and home addresses.

Aviva and Royal London have both reported service outages because of the cyberattack on Capita, demonstrating the importance of selecting the right supplier and having resilience plans in place should a key supplier suffer an outage.

Key takeaway

Be transparent with your clients during an incident - If personal data has been exposed, clients need to know right away so they can take immediate action to protect their data. A well-rehearsed communications strategy can reassure stakeholders and reduce reputational damage. 

Ensure supplier due diligence covers how your information is protected – Asking for information on the security program in place, if there are dedicated security role(s), and alignment to industry frameworks such as ISO 27001 are good starting points.

Hackers steal UK Pension Protection Fund (PPF)

What happened?

The PPF, which manages £39 billion of assets for 295,000 members, found itself the victim of a third-party cyber-attack in March, with current and former employee data being compromised.

The PPF had been using a secure file transfer application, GoAnywhere MFT.  Fortra, which own GoAnywhere MFT, disclosed a zero-day vulnerability on 2nd February, and released a security fix five days later, on 7th February.

A zero-day vulnerability is one that’s disclosed without a patch to fix it. These vulnerabilities pose a higher risk as there’s a race between protecting exposed systems and hackers exploiting the vulnerability before a patch is released.  

Since its disclosure, the ransomware group, Cl0p, has claimed over 130 victims [4]. Compromised companies exposed on their ransomware leak site include PPF, Japanese tech giant Hitachi and digital-first bank Hatch Bank.

Key takeaway

Keep on top of threats, especially zero-day vulnerabilities – Even if an immediate patch isn’t available, mitigations can be put in place to limit the risk of attacks, such as isolating systems from your network.   

Ensure you apply software updates as soon as possible – Critical or high vulnerability patches should be applied within 14 days. 

Samsung suffers a data breach as employees leak top secret data to ChatGPT

What happened?

Samsung employees interacting with ChatGPT supposedly leaked confidential information on three separate occasions [5], including asking ChatGPT to:

  • Review company source code
  • Optimise test sequences for identifying faults in the chips they were designing
  • Convert internal meeting notes into a presentation.

As well as this, ChatGPT disclosed its own data leak in March, with subscribers seeing conversations other users had with the chatbot [6], and around 1.2% having their payment data leaked to other ChatGPT users [7]. 

Key takeaway

Confirm staff are aware of data handling policies and their responsibilities – Including clear guidance on what can and cannot be shared with external systems and personal accounts. Having an approved company application and service list will help staff.

Ensure incident response teams are aware of regulatory reporting – Such as the need to notify the FCA, and the need to report a notifiable breach to the ICO within 72 hours of becoming aware of it.

[1] https://www.thetimes.co.uk/article/capita-it-outsourcer-reels-from-being-locked-out-of-its-own-it-dhk9lgnd6

[2] https://twitter.com/kprescott/status/1641727707841982465?s=20

[3] https://www.capita.com/news/capita-plc-update-cyber-incident

[4] https://techcrunch.com/2023/03/22/fortra-goanywhere-ransomware-attack/

[5] https://securityaffairs.com/144597/security/samsung-data-leak-chatgpt.html  

[6] https://cybernews.com/news/chatgpt-flaw-exposed-users-chat-histories/

[7] https://cybernews.com/news/payment-info-leaked-openai-chatgpt-outage/

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.  

Speak to us and find out how we can help your business thrive.