Infosec Round-Up Jan 7th

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

28TB Backup Error

Japan’s Kyoto University has lost an estimated 28TB of research data following a devastating backup error involving its Hewlett-Packard supercomputer.

Occurring sometime in mid-December, an investigation into the issue found that 25 million files from 14 different research groups had been wipe from the system and backup storage, much of which could not be restored.

Initially estimated to be 77TB of lost data, the details of the information have not been made public, though the university has stated in an announcement that 68 users were affected.

With Hewlett-Packard Enterprise (HPE) stating that it takes “100% responsibility” for the error, the company explained that a software update intended to improve file visibility was the source of the problem, adding (translated) “We deeply apologize for causing a great deal of inconvenience due to the serious failure of the file loss.”

New UK Information Commissioner

John Edwards, the former New Zealand Privacy Commissioner, this week begins his new role as the UK’s Information Commissioner, succeeding his predecessor Elizabeth Denham CBE.

Having previously worked as a solicitor and barrister for over 14 years, as well as time advising the NZ government, Edwards takes his new position at a time when the privacy watchdog will see significant changes, to not only its governance model, but also in “actively engaging with the government over the proposed reforms to the Data Protection Act.”

In an official announcement, Edwards stated “Privacy is a right not a privilege. In a world where our personal data can drive everything from the healthcare we receive to the job opportunities we see, we all deserve to have our data treated with respect.

“My role is to work with those to whom we entrust our data, so they are able to respect our privacy with ease whilst still reaping the benefits of data-driven innovation. I also want to empower people to understand and influence how they want their data to be used, and to make it easy for people to access remedies if things go wrong.”

Payment Service Fined

The Paris-based payment services company SlimPay has been fined €180,000 by the French data privacy regulator following the discovery that it had exposed sensitive customer data on a publicly accessible server for several years.

Having undertaken a research project into anti-fraud technology in 2015, SlimPay used personal data contained in its customer databases, though following the end of the project in 2016 the data was left on a publicly accessible server.

Affecting approximately 12 million people, the breach was discovered by a customer of SlimPay in February 2020, who in turn notified the company.

Having been found to have failed to comply with several GDPR requirements, including the notification of data subjects, SlimPay has stated: “we are committed to implementing measures which meet the expectations of the GDPR, and have been doing so since its enforcement began in 2018.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.