Here is our cyber security news round-up of the week:
Discord security vulnerabilities nets bug bounty
British Airways fined £20m for data breach
British Airways have been fined £20 million by the ICO for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack and lacked adequate security to detect and defend itself against it. The ICO had originally planned to fine BA nearly £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of Covid-19, as well as work BA had undertaken to address the issue, and the ICO learning more about the nature of the attack in a further investigation. Customers' names, addresses, payment card numbers and security numbers were among the details compromised in the attack.
The ICO said BA appeared to have breached requirements of payment card information data security standards (PCI DSS) in relation to its storage of payment card data. According to the ICO, the attacker had gained initial access to BA's network using compromised credentials of a user within a third-party supplier who was accessing the BA network remotely. The attacker was then able to "breakout" from the remote access systems into the wider network BA operated. Even with the reduced penalty size, the ICO is sticking by its original conclusions, described in its statement related to the breach penalty.
SIEM platform exposed to remote code execution attack
A Java deserialisation bug in QRadar, IBM’s enterprise security information and event management (SIEM) platform, allowed hackers to conduct various attacks, including remote code execution. The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.
Java client applications convert objects into streams of bytes – or ‘serialise’ them – and send them to servers, which deserialise them into their original structure before processing. If deserialisation is not handled properly, hackers can exploit the process to send malicious data to Java application servers. While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions. Researchers also found and reported the deserialisation vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.
Cruise operator Carnival latest ransomware victim
Carnival Corporation disclosed in a filing with the US Securities and Exchange Commission that one of its brands suffered a ransomware attack that resulted in hackers gaining access to internal IT systems, encrypting a portion of the systems, and stealing the personal data of guests and employees. The company also stated that as soon as the ransomware attack was detected, it launched an investigation, notified law enforcement authorities, and engaged legal counsel and other incident response professionals.
Recently, the cruise line giant, which operates a number of renowned cruise line brands such as Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, AIDA Cruises, Costa Cruises, and P&O Cruises in the UK and Australia, said the August ransomware attack resulted in hackers gaining access to the personal information of a number of guests, employees, and crew. The cruise line company also announced in a separate press release that the ransomware attack on its IT systems affected three cruise lines, namely Carnival Cruise Line, Holland America Line and Seabourn, as well as the company's casino operations.
Microsoft announces its own Project Zero for Edge
Microsoft has announced plans for a Project Zero-style security research program focused on Chromium, after rebuilding the Edge browser using the open-source codebase. Having relaunched Internet Explorer’s successor as a Chromium-based browser, the tech giant tasked a team of browser security experts to undertake research into Google’s browser-building repository. The research will be published in accordance with responsible disclosure guidelines.
New Zealand announces new privacy breach service
New Zealand's Office of the Privacy Commissioner (OPC) this week launched NotifyUs – a new online tool enabling businesses and organisations to easily assess whether a privacy breach is notifiable. Under the New Zealand Privacy Act 2020, which comes into effect on 1 December 2020, it will be mandatory for organisations to notify OPC if a privacy breach has caused, or is likely to cause, serious harm. Businesses and organisations which fail to report a notifiable privacy breach to OPC may receive fines of up to NZ$10,000.
Privacy Commissioner John Edwards says NotifyUs will help organisations determine whether a breach has caused, or could cause, serious harm, and guide them through the reporting process:
“We want the privacy breach pre-assessment and reporting process to be straightforward. NotifyUs has undergone extensive testing ahead of today’s launch to ensure the guidance is clear and easy to follow. I encourage people to use it in advance of the new legislation taking effect on 1 December.”
Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to our weekly Cyber Pulse newsletter below.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 137 | 13 November 2020
Cyber Pulse: Edition 136 | 5 November 2020
Cloud Native Security – Accelerate Left or Get Left Behind
Cyber Pulse: Edition 135 | 27 October 2020
Cyber Pulse: Edition 133 | 14 October 2020
Cyber Pulse: Edition 132 | 8 October 2020
Cyber Pulse: Edition 131 | 28 September 2020
Cyber Pulse: Edition 130 | 21 September 2020
Cyber Pulse: Edition 129 | 15 September 2020
Cyber Pulse: Edition 128 | 8 September 2020