Included in this issue: Facebook scam allows hackers to gain access to personal details; Merkel suggests shift in Germany's approach to data storage; China introduces new cyber security legislation and more... 


Facebook scam allows hackers to gain access to personal details

Facebook users have identified a scam which may give hackers access to private information such as login details.

The offending software has spread through the social networking site via its Facebook Messenger service. Users receive a message in the form of a link to a website which appears from the outset to be Youtube, however the site is not Youtube and the message is actually a SVG file, a new file format that can hold embedded content, such as malicious software code. In order to watch the video, users are directed to download an extension for Google Chrome. This extension file is blank but has the ability to install malicious software on to users' computers. The message spreads by working through the users contact list, thus affecting the friends of users whose accounts have been hacked. 

The software has permissions which enables it to read and change users' data taken from the websites that they visited. This effectively enables it to collect personal information such as passwords and financial information. The SVG file also contains a downloader which could, ultimately, enable it to download and install Ransomware - a form of malware that has the ability to lock the files on its victims' computers until a ransom payment is made.

Facebook released a statement in which it acknowledged the scam, but stated that it maintains, "a number of automated systems to help stop harmful links and files from appearing on Facebook" and is, "already blocking these ones from our platform, and we have reported the bad browser extensions to the appropriate parties."

Users are reminded not to click on messages they do not recognise, and for those messages received from friends not to immediately download attachments or click links until they can verify whether the message is real or not.

In the run up to Christmas a further scam has started to plague Facebook in the form of the "Secret Sister Gift Exchange". This scam appears form the outset to operate as an illegal pyramid scheme and is under close scrutiny by law enforcement in the US. Users are reminded not to engage in offers which seem too good to be true, as they may just be another way that scammers can get hold of personal data.

To view more on this story as reported in The Telegraph, click here and The Independent click here

Three hack leaves customers' private information at risk

British mobile phone company Three has acknowledged that hackers have gained access to its customer upgrade database.

The hackers used the login details of a Three employee to access the database, which, as reported in the Independent, contains the private information of "two thirds of the company's nine million customers".

The information accessed includes the customers' names, addresses and phone numbers, but not banking information such as card details or pin numbers. It is thought that the hackers used the information to access the online accounts of certain customers in order to request mobile phone upgrades, which they then intended to intercept.

Three released a statement in which they noted a marked increase in handset fraud over the past month:

"Over the last four weeks Three has seen an increasing level of attempted handset fraud. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system. This upgrade system does not include any customer payment, card information or bank account information. The investigation is ongoing and we have taken a number of steps to further strengthen our controls."

The National Crime Agency has confirmed that three men have been arrested in relation to the incident.

The story as published in the Independent is available here.

Customers go hungry as Deliveroo accounts are hacked

The BBC's investigative journalism programme, Watchdog, has revealed that users of food delivery app Deliveroo have had their user accounts hacked and been billed for food which they hadn't ordered.

Hackers used the compromised accounts to order food deliveries, worth up to £200, to various locations across the UK.

Deliveroo commented: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach."

The company recommended that customers use "strong, unique passwords for every service they use" in order to minimise the risk of such breaches recurring.

Companies are reminded to ensure that they have adequate security measures in place to protect customer data.

The full article from the BBC is available here.

National Lottery player account hack

Around 26,500 National Lottery players' accounts have been victim to hacking resulting in certain accounts having had their information stolen. Players were contacted by National Lottery who requested a mandatory one-off password reset in order to counter the attack, but many believed these emails were phishing scams. In exceptional cases it was found that their account information had been changed, although this affected fewer than 50 accounts and may have actually been changed by the players themselves. Some customers have commented that the breach has made them lose confidence in using the National Lottery online, and that they may now go in store and use cash instead. No money was taken from those accounts affected by the hack. The Information Commissioner's Office (ICO) have commented to say that they are aware of the hack and are currently investigating, they released the following statement:

"Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today. The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyber-attacks. Where we find this has not happened, we can take action. Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.

The story as published in the Guardian is available here.


Merkel suggests shift in Germany's approach to data storage

Speaking at the country's 10th annual IT summit, German Chancellor Angela Merkel warned of the limiting effect that the General Data Protection Regulation (GDPR) might have on innovation if interpreted too restrictively. The GDPR, which takes effect in May 2017, has the objective of giving citizens more control and protection over the use of their personal data, by specifying the conditions under which it may be stored by companies. 

The German Chancellor, has stated that if interpreted too rigidly at national level, the GDPR could make big data management impossible and therefore prevent German companies from competing in the big data market. She stated that "data economy cannot be the guiding principle for new products today" and that the approach to data protection should be geared towards "enabling new developments" whilst preventing excesses.

This sentiment was supported by Germany's Interior Minister, Thomas de Maiziere, who highlighted the potential economic benefits of big data and added that "not saving data in Germany means that data will be used elsewhere".

The statements suggest a change in position from the German government, which has traditionally taken a hard-line stance on the storage of their citizens' data by foreign organisations.

For more information on the story as published in the Deutsche Welle click here.


China introduces new cyber security legislation 

On June 1st 2017 China plans to introduce new stringent security legislation that may force technology companies to provide product proprietary source codes to the Chinese government. This has created uproar with many large US based technology companies. 

China has argued that the rules have been developed so that the government can confirm that the products are incapable of being hacked. President Xi Jinping has stated that "no cyber security means no national security." 

These new disclosure rules could limit technological innovation in China, which is currently the world's largest market for digital shopping, as companies will have to weigh up the impact and cost of the new measures on them continuing business in the country. Another new expense will be the requirement to store data in China if a company is in a "critical area," this will lead to expensive duplication of facilities which could dissuade international companies from continuing business there.

The story as published in the Guardian is available here.

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile