Weekly podcast: Basildon council, cosmetic surgery clinic hacked, WannaCry not spread by XP

This week, we discuss a £150,000 fine for Basildon Borough Council, a data breach affecting a Lithuanian cosmetic surgery clinic, and news that the recent WannaCry ransomware attack may not have spread via Windows XP flaws.

Hello and welcome to the IT Governance podcast for Friday, 2 June 2017. Here are this week’s stories.

Basildon Borough Council has been fined £150,000 by the Information Commissioner’s Office for breaching the Data Protection Act by publishing planning application documents on its website containing a family’s sensitive personal information.

According to the ICO, the application included a “written statement in support of a householder’s planning application for proposed works in a green belt” and “contained sensitive personal data relating to a […] family who had been living on the site for many years. In particular, it referred to the family’s disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home. The council published the statement in full, without redacting the personal data”.

ICO enforcement manager Sally Anne Poole said: “This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available. Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable.”

Some might say the council got off lightly: under the Data Protection Act’s replacement, the EU’s General Data Protection Regulation, which comes into effect in less than a year’s time, data breaches of sensitive information such as this will incur a maximum penalty of up to 4% of an organisation’s annual global turnover, or €20 million – whichever is greater.

On Tuesday, a criminal group calling itself ‘Tsar Team’ published the personal data and more than 25,000 private photos of cosmetic surgery patients from more than 60 countries following a data breach at a Lithuanian clinic. According to the Guardian, more than 1,500 British patients are listed in the stolen database.

The group hacked the servers of the Kaunas-based Grozio chirurgija clinic earlier this year and demanded 300 bitcoin – about half a million pounds – which it called “a ‘small penalty fee’ for having vulnerable computer systems”. The clinic refused to pay.

Patients, reportedly including a number of celebrities, were also blackmailed, with the criminals demanding bitcoin payments of between €50 and €2,000 depending on the sensitivity of the data, which included passport and credit card details, national insurance numbers, and nude ‘before’ and ‘after’ surgery pictures.

When the extortion demands were not met, the group released the entire database.

The clinic has warned its patients not to engage with the blackmailers, but to inform the police immediately. Lithuanian police say dozens of victims have already come forward.

Finally, WannaCry again. It seems that the use of Windows XP wasn’t actually to blame for the ransomware’s recent spread, as the vast majority of experts – us included – originally thought. Extensive analysis from Kryptos Research – whose employee Marcus Hutchins sinkholed the domain that stopped the malware spreading – has shown that XP is actually so decrepit that it just crashes when the DoublePulsar payload – the Equation Group backdoor implant tool that was used alongside EternalBlue in the WannaCry attack – is used.

XP, I should add, is still vulnerable to EternalBlue when the WannaCry binary is executed manually – and is vulnerable to numerous other attacks – so it’s still important to upgrade to supported systems, carry out regular penetration tests and maintain a proper patch management programme.

But, as Kryptos explained, when they manually backdoored test systems with DoublePulsar, the “Windows XP hosts kept blue-screening and rebooting without any infection occurring.”

Annoying, but not infectious.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.