Weekly podcast: AA (aagaain), NotPetya decrypted? and Bithumb hacked

This week, we discuss another incident response debacle at the AA, the latest move from the NotPetya group, and the hacking of the Bithumb virtual currency exchange.

Hello and welcome to a special anniversary edition of the IT Governance podcast for Friday, 7 July 2017. (Unbelievably, it’s been two years since we started doing these weekly news updates.) Here are this week’s stories.

Last week I talked about the AA’s mishandling of what appeared to be a non-existent data security incident, after it caused confusion and alarm by emailing customers to tell them that their passwords had been changed without explaining why, before eventually admitting that the email had been a mistake, that no passwords had, in fact, been changed and that customer data was actually secure.

This week, it’s emerged that the AA mishandled a genuine data breach affecting 13 gigabytes of customer information. And, amid all the equivocation, it’s still hard to tell whether the two incidents might actually be linked.

So, what’s happened? On 26 June, the day the AA sent its email about password resets, security researcher Troy Hunt, who runs the have i been pwned? service, tweeted that a follower had advised him that, in April, they’d “notified [the AA] about 13GB of exposed DB backups”. Hunt commented that it wasn’t clear if the AA had “ever notified customers”.

Customers who then asked the AA if the database breach did in fact have anything to do with the password reset email were left none the wiser. The AA would only comment that the incident “related to the AA shop & retailers’ orders rather than sensitive info. It was rectified and taken seriously” – the implication being that this was a separate incident.

On 3 July, presumably trying to put the issue to bed, the AA tweeted that it had “fixed” a “data issue” affecting its shop, and that no credit card information had been compromised.

According to Motherboard, however, an exposed server had compromised “117,000 unique email addresses, as well as full names, physical addresses, IP addresses, details of purchases, and payment card information. Those card details include the last four digits of the credit card and its expiry date.” What’s more, Motherboard had the database to prove it.

When Troy Hunt tweeted about the Motherboard article, expressing his disappointment at the AA’s poor form, the motoring giant insisted several times that no credit card details had been compromised. Hunt begged to differ, pointing out that a number of his subscribers had confirmed that their details were included in the data dump, but that they’d not heard from the AA.

The AA, again, insisted that credit card details had not been compromised. When asked what details had been compromised, the AA said that “a full independent investigation” had been instigated so it couldn’t provide any details – even though it miraculously knew that no credit card details had been compromised.

When Graham Cluley proved the AA wrong by posting a redacted screenshot of credit card information from the leaked database, he was warned that he “could be in breach of the Computer Misuse Act”. (A doff of the titfer to Mr Cluley for the way he referred to the AA as ‘a firm’, and that he was “naaming no naames”. Nicely done, sir. Nicely done.)

The Information Commissioner’s Office is now investigating. It said: “Businesses and organisations are obliged by law to keep people’s personal information safe and secure. We are aware of an incident involving the AA and are making enquiries.”

The criminals behind the recent NotPetya ransomware (or, perhaps, not ransomware) attack have cleared their Bitcoin wallet, netting £7,900-worth of the virtual currency – a frankly rather piffling sum considering the disruption they caused.

According to Motherboard, the funds were used to pay for Pastebin and DeepPaste accounts, which the NotPetya group used to announce that they’d sell the private key that decrypts infected files for the rather more substantial sum of 100 bitcoin – about £200,000. Several people have apparently expressed an interest.

Motherboard reports that they contacted the NotPetya hackers and got them to decrypt an infected file in order to prove themselves. It should be pointed out, however, that this doesn’t mean that it’s possible to recover all lost data.

As you’ll no doubt remember from last week’s podcast, many researchers – including Kaspersky Lab’s Anton Ivanov and Orkhan Mamedov and Comae Technologies’ Matt Suiche are convinced that disks that’ve been encrypted by NotPetya can’t be decrypted because the installation ID is randomly generated.

Matt Suiche stands by his initial estimation. He told Motherboard “the hackers are just ‘trolling’, trying to confuse researchers and journalists.”

If that’s the case, they’re doing well at it.

On the subject of bitcoin, one of the world’s largest bitcoin exchanges, South Korea’s Bithumb, has suffered a data breach in which the personal details of 32,000 customers were stolen. The data was then used in phishing attacks to fool users into transferring money. A local newspaper, the Kyunghyang Shinmun, reports that one victim lost 1.2 billion won – about £800,000.

The data breach occurred in February but was only discovered in June, according to The Register, which reports that “an employee’s personal home PC was infiltrated by hackers and used to extract users’ records”.

The BBC reports that it’s “unclear whether victims will be compensated in full”. Virtual currencies are not regulated by South Korea’s financial authorities.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.