Infosec Round-Up Nov 12th

Google Privacy Case, REvil Bounty & Clinic Ransomware Attack

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Google Privacy Case

The UK’s Supreme Court has rejected a mass-action lawsuit which sought billions of pounds in damages against Google over the alleged illegal tracking of millions of users.

Had the case, which began back in 2017, been allowed by the Supreme Court to continue, it would have set a significant precedent in terms of future mass actions; whereby one representative could have brought action on behalf of millions of others.

In his judgement of the case, Lord Leggatt stated that a key problem was the claimants lack of evidence regarding individual suffering or any material damage or distress as a result of a breach.

Richard Lloyd, former director of consumer rights group Which? who brought the case has responded to the decision stating: “We are bitterly disappointed that the Supreme Court has failed to do enough to protect the public from Google and other big tech firms who break the law.”

Adding, “Although the court once again recognised that our action is the only practical way that millions of British people can get access to fair redress, they've slammed the door shut on this case by ruling that everyone affected must go to court individually.”

US REvil Bounty

The US Department of State is offering up to $10 million for the identity or location of members of the notorious REvil (Sodinokibi) ransomware syndicate.

As part of the Transnational Organized Crime Rewards Program (TOCRP), this week’s announcement offers a reward of $10 million “for information leading to the identification or location of any individual holding a key leadership position” in the criminal group, as well as up to £5 million for affiliates.

Responsible for attacks against JBS, Travelex and more, two members of the REvil syndicate have this week been arrested by Romanian law enforcement, as well as having around $6 million seized by the US authorities.

In the announcement the Department of State noted, “In offering this reward, the United States is demonstrating its commitment to protecting ransomware victims around the world from exploitation by cyber criminals, and to working with nations willing to bring those criminals to justice.”

Adding, “The Department has paid more than $135 million in rewards to date.”

Stor-a-File Ransomware

The British data storage company Stor-a-File has suffered a ransomware attack in which a total of 13 organisations have been affected, six of which are healthcare related.

Occurring in August of this year, the attack on the firm is reported to have been the result of unpatched software, leading to data being leaked on the darkweb by ransomware criminals.

The Lister Fertility Clinic, which treats around 2,000 patients each year, was one of those organisations affected; having sent a letter to around 1,700 patients warning medical records including consent forms, medical history, and fertility treatment records was amongst the data breached.

In a statement Stor-a-File said, “the incident is limited to the small number of records we hold electronically. Everyone whose data may have been affected has been contacted. The millions of company and organisation records, held physically in boxes on shelves in our warehouses were unaffected.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.