Top cyber stories for July 2019

 

No jail time for malware author turned WannaCry hero

 

Marcus Hutchins, the security researcher credited with averting the WannaCry worm but later accused of creating malware himself, has been released from the threat of jail with a “time served” sentence.

 

Hutchins’ name hit the headlines in 2017 when the WannaCry ransomware, in the midst of a devastating series of infections including crippling attacks on many systems inside the UK’s NHS, suddenly shut down. The abort signal was apparently issued when Hutchins, going by the tag “MalwareTech”, registered a URL spotted inside the attack’s code, unwittingly activating a “kill switch” built in to the malware. Although initially keeping quiet about his role in the affair, Hutchins soon came to be feted as a hero for his accidental discovery.

 

Shortly afterwards, Hutchins was arrested in Las Vegas after attending the Black Hat/Defcon security conferences, accused of creating and distributing banking malware a few years earlier. He initially contested the charges, and conspiracy theories abounded, building up a community of supporters.

 

Eventually Hutchins admitted his role in creating the UPAS Kit and Kronos banking trojans, and in April this year agreed to a plea deal. At his sentencing in late July, the judge appeared to agree with general public feeling that his felicitous discovery of the WannaCry sinkhole should be counted in the balance, and released him without further jail time on the basis of time already served during the investigation. It’s possible that the relatively meagre amounts stolen by Hutchins’ malware strains may have played a part in the decision.

 

Releasing news of the sentence, Hutchins tweeted his gratitude to the judge, and to his fans and followers.

 

Capital One hack leaks data on over 100 million customers

 

Capital One has joined the long list of major global brands to suffer the embarrassment of a serious leak of private customer data. The 10th largest bank in the US admitted in a statement on July 29th that data belonging to both customers and applicants for credit cards had been accessed by an unauthorized individual.

 

The statement confirmed that the leak affected 100 million users in the US and another 6 million in Canada. The haul included a wealth of personal information including credit scores, card balances and payment histories, contact info, and in some cases social security numbers (1 million Canadian Social Insurance numbers) and details of linked bank accounts.

 

The breach apparently came to light on July 17th when a “configuration vulnerability” was reported to the bank by a researcher. Further investigation revealed the data leak by July 19th, although it’s thought the hack itself dated back to March.

 

Alongside the statement from Capital One some ten days later, the US Department of Justice issued a release detailing the arrest of a 33-year-old Seattle woman in connection with the incident. This may explain the delay between discovery of the data breach and release of information to the public.

 

The arrested individual, Paige A. Thompson, goes by the handle “erratic”, and is accused of posting the data filched from Capital One’s cloud system to a Github repository. The arrest took place on the same day as the Capital One and DoJ statements were issued, apparently by a squad of FBI agents in full tactical gear. Thompson could face 5 years in jail and a $250,000 fine, according to the DoJ.

 

In the wake of the incident, a class-action lawsuit has been filed against Capital One, for failing to properly secure their Amazon S3 services, and also against Github for facilitating the distribution of the leaked data.

 

Multiple fines issued for privacy failings, but are they stiff enough?

 

July saw a raft of hefty fines issued to major companies for failing to properly protect the privacy of their users and customers, but despite the growing size of these penalties many are suggesting they do not go far enough to deter big brands from abusing the trust placed in them.

 

The UK’s Information Commissioner’s Office (ICO) started the fine spree with GDPR-related fines imposed on British Airways (£183 million) and the Marriott International hotel chain (£99 million), the two announced just a day apart.

 

Over in the US, Equifax agreed to pay out at least $575 million, and possibly as much as $700 million, over their epic 2017 data breach. The FTC alleges the firm failed to properly patch its systems, leaving a gaping hole open for attackers to exploit. The fine includes contributions to a fund to provide credit monitoring to victims of the leak, as well as compensation.

 

Then came news that Facebook could expect a massive $5 BILLION fine over the Cambridge Analytica election-manipulation scandal, among other privacy issues. Massive by most measures, but in comparison to Facebook’s epic revenues, the record-breaking levy has been described as an “embarrassing joke”, “derisory” and even a “sweetheart deal”.

 

While the GDPR fines on companies with real-world activities which also operate online are likely to encourage greater respect for customer privacy and greater attention to properly securing their systems and data, the levies against the internet giants aim to punish and discourage behaviour which is a core part of their data-slurp-and-sell business models. For the likes of Google and Facebook to be driven to change, it seems likely that far bigger penalties, and far stricter regulation, will be required.