InfoSec Round-Up Dec 3rd

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Facial Recognition Company Faces Possible Fine

The Australian facial recognition company Clearview AI has been provisionally fined £17 million by the UK’s Information Commissioner’s Office for its handling of personal data.

Clearview AI, which promotes its product as a “Google search for faces” and claims to hold over 10 billion facial images, has been ordered to stop further processing and delete the personal data of people in the UK following “alleged serious breaches” of UK GDPR.

Announced by the data watchdog following a joint investigation by UK and Australian authorities, a preliminary review finds that the company failed to comply with a number of data protection regulations, including failing to stop data being retained indefinitely, failing to have a lawful reason for collecting information, and failing to inform individuals of what is happening to their data.

Despite Clearview AI’s chief executive claiming to have complied with “all standards of privacy and law”, Information Commissioner, Elizabeth Denham has stated “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking.”

Insider Threat Charged

A former employee of electronic device maker Ubiquiti has this week been charged with data theft and attempting to extort his employer.

Nikolas Sharp, who if found guilty faces a maximum sentence of 37 years in prison, used his trusted position to steal gigabytes of confidential data from Ubiquiti, then attempted to extort the company for almost $2 million.

After these extortion attempts failed, Sharp then shared information with the media under the guise of being a whistle-blower. Actions which are believed to have resulted in Ubiquiti’s stock price falling by roughly 20%.

Taking care to hide his actions, including altering activity logs, the insider threat’s identity was eventually exposed after a temporary internet outage betrayed his home IP address.

U.S. Attorney Damian Williams has stated on the case: “As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand… Now the alleged theft and lies have been exposed, Sharp is facing serious federal charges.”

Cabinet Office Data Breach

The UK’s Cabinet Office has been fined £500,000 for the unauthorised disclosure of personal information of the 2020 New Year Honours recipients.

Found to have failed to put appropriate technical and organisational measures in place to prevent such a breach, the Cabinet Office published a file containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list, including musician Sir Elton John.

Available online for a period of only two hours and 21 minutes, the personal data was accessed almost 4 thousand times.

Steve Eckersley, ICO Director of Investigations, has stated: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected.”

Adding, “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.