Data Security

Banking App Fraud On The Rise

A recent report from cyber-security company RSA has highlighted a significant rise in fraud via fake banking apps.

Number of Attacks Has Trebled

The Fraud and Risk Intelligence (FRI) team at RSA have noted a tripling of the number of fraud attacks via fake mobile banking apps in the first six months of this year with rogue mobile app fraud generally up by a staggering 191 per cent.

Fake Mobile Apps Exploit Digital Finance Trust

Not only did the 40,344 fraud attacks represent a 63 per cent rise, but 29 per cent of those attacks were recorded as coming from fake mobile apps.

In fact, the report identified an 80 per cent rise in the use of financial malware in the first half of this year, highlighting how cyber-criminals are using the transformation of finance to the digital world and the increasing trust of users in financial apps and digital financial transactions as a way in.

Changing

Tech and finance commentators have noted that as companies offer more convenient digitised financial initiatives to customers e.g. open banking, and as this has necessitated customers engaging in more digital touchpoints, it has led to a widening of the potential ‘attack surface’ that criminals can take advantage of.

Could Banks Do More?

An Immuniweb report from August this year noted that a massive 98 per cent of the world’s100 leading financial technology (fintech) startup companies are vulnerable to web and mobile app attacks, and that 97 of the 100 largest banks are also vulnerable to web and mobile attacks which could facilitate a breach of sensitive data.

The Immuniweb report also highlighted mobile financial apps as being a problem area with all mobile apps tested showing at least one ‘medium risk’ security vulnerability, and 97 per cent having at least two medium/high-risk vulnerabilities. The tests also showed that over 50 per cent of mobile app backends have serious SSL/TLS misconfigurations or privacy issues which could be traced to not having robust-enough web server security.

This has led to some speculation that banks and other financial organisations could be doing more to help close potential security loopholes in their apps, thereby offering better protection to customers.

What Does This Mean For Your Business?

Mobile apps offer banks and other financial organisations a way to offer convenience and added value to their customers who want to be able to manage their finances on the go. However, legitimate app security problems, a proliferation of fake/rogue financial apps and a widening of the potential attack plane that this brings to consumers who increasingly trust their finances to mobile digital transactions have increased the attack plane and the risks that businesses and consumers face.

As users of banking and other financial apps, we can help protect ourselves by sticking to some basic security procedures such as not clicking on links in unfamiliar messages or texts (to avoid loading malware), keeping a close eye on our bank transactions, and by being very cautious when downloading apps of any kind. For example, to minimise the risk of falling victim rogue/fake apps, you should check the publisher of an app, check which permissions the app requests when you install it, delete any apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.

Any Thumbprint Unlocks a Galaxy A10

Samsung’s so-called “revolutionary” fingerprint authentication system for the Galaxy A10 phone appears to be offering less than satisfactory results as it is discovered that any thumbprint can unlock one.

Biometric ‘Fail’

South Korean phone giant Samsung has received some unwanted bad publicity for its new Galaxy A10 phone after an article appeared in the Sun newspaper highlighting how a British couple discovered that, after putting a low-priced screen protector (purchased from eBay) on the phone, each other’s thumb print could unlock the phone.

The thumbprint scanner, which uses ultrasound to detect 3D ridges in fingerprints and only is supposed to recognise the thumbprint that has been registered by the user is reported to have recognised both of the thumbprints of user Lisa Neilson and both of her husband.

Patch

Samsung is reported to have acknowledged the fault and to be in the process of preparing a software patch to fix it.

Google Pixel ‘Face Unlock’ Issue

It seems that Samsung isn’t the only company struggling to produce a biometric phone security system that works properly.

The BBC has recently reported that after testing Google’s Pixel 4 phone’s Face Unlock system, it was discovered that with normal default settings on, the phone could be unlocked even if the user’s eyes were closed. The problem with this is that the phone could potentially be unlocked by another unauthorised person while the user is asleep simply by holding the phone in front of the user’s face.

The phone does, however, offer a ‘lockdown’ mode which users can switch to in order to deactivate the facial recognition system altogether.

Biometrics – The Way Forward?

Even though multi-factor authentication is more secure than relying on just a password for authentication, a continued reliance on weak passwords and password sharing by users, coupled with more sophisticated cyber and phone crime techniques mean that there is a strong argument for biometric methods of authentication, and a move towards what Microsoft has recently described as a “passwordless future”.

What Does This Mean For Your Business?

Even though biometrics has been shown to make things much more difficult for cyber-criminals to crack, as the A10 and the Pixel 4 security systems illustrate, biometrics have not been 100% successful to date and is still needs some work.  In fact, this is not the first time that a Samsung Galaxy has been in the news for a biometric issue. For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on the Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

Equifax Hack Inevitable Says Lawsuit

A lawsuit against US Credit Rating Company Equifax relating to the massive 2017 hack alleges that the breaching of Equifax’s systems was “inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices.”

What Happened

Back in September 2017, US Credit Rating Company Equifax was hacked and, in one of the largest recorded data breaches in history, an estimated 148 million customer details stolen, 44 million of which are believed to have come from UK customers.  Details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver’s license details, and around 209,000 credit card numbers.

Hackers got in through a vulnerability in the website and Equifax was reported to have known about the attack 40 days before informing the public that it had happened.  Another aspect of the case that caused outrage at the time was the fact that three senior executives at the company were believed to have sold-off their shares worth almost £1.4m before the breach was publicly announced.

The Lawsuit

The lawsuit that was filed against Equifax with the Northern District Court of Georgia (Atlanta Division) in the US states that the breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems”.

What Kind of Shortcomings?

The lawsuit alleges that Equifax’s data protection measures were “grossly inadequate,” and “failed to meet the most basic industry standards”.  The lawsuit paints a picture of a company with a shockingly simplistic and risky approach to the protection of personal data.  For example, it alleges that Equifax:

  • Failed to implement proper patching protocols and relied upon one individual to manually implement its patching process across its entire network.
  • Didn’t encrypt sensitive information and instead, stored in plain-text, making it easy for unauthorised users to read and misuse.
  • Didn’t encrypt mobile applications, meaning that it failed to encrypt data being transmitted over the internet.
  • Stored sensitive data on public-facing servers and left the keys to unlocking the encryption on those same public-facing servers, making it easy to remove the encryption from any data.
  • Used inadequate network monitoring practices and obsolete software.
  • Failed to implement adequate authentication measures.  This allegedly included using weak passwords and security questions.

Simple Usernames and Passwords Including ‘Admin’

One of the shocking accusations in the lawsuit relates to passwords.  It highlights how the New York Stock Exchange-listed firm responsible for protecting the sensitive personal data of millions of people used four-digit pins (derived from Social Security numbers and birthdays) to guard personal information, even though these weak passwords had already been compromised in previous breaches.

Also, the lawsuit alleges that Equifax relied upon the username “admin” and the password “admin” to protect a portal used to manage credit disputes, thereby making it incredibly easy for any hackers to guess.  For example, many penetration testing companies will use more obvious passwords such as ‘admin’ as a basic part of their testing of company systems.

Simple Passwords Still Widely Used

One of the main ways that we can all leave the door open to security breaches and hacks is by using simple, easy to guess passwords, and by sharing the same password between multiple websites and platforms.

For example, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords (in April this year) revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts.  The study, which analysed public databases of breached accounts, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

What Does This Mean For Your Business?

The allegations about the apparent organisational disregard for cyber-security at such a big company and the use of simple, default-style passwords such as ‘Admin’ and leaving one person in charge of patching for the whole company are truly shocking.  The case highlights how some organisations may be too casual about how they manage and protect sensitive data, which is a dangerous position to be in, particularly with the possible fines from GDPR. Since most companies still rely upon passwords for many important systems and tools, this case particularly highlights how IT departments may need to implement processes to make sure that default passwords are changed to more secure ones, and that commonly used passwords are blacklisted.  Introducing multifactor authentication (MFA) also adds another important extra layer of security to password-based systems, and many companies are now seeking biometric authentication methods as a way of getting completely away from the whole risky password area.

The Equifax case also highlights how businesses shouldn’t treat database security any differently from other aspects of their cybersecurity, especially by not sharing admin passwords, and if sharing is necessary, by keeping track of who has those passwords and why. Using analytics on a database is also a way in which businesses can track when someone has got into a database using certain admin credentials.

Ex-Employee Claims Your G Suite Data Is Not Encrypted

A report by a former Google employee on the ‘Freedom of the Press Foundation’ website warns organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.

G Suite

G Suite is Google’s set of cloud-based computing, productivity and collaboration tools including Gmail, Drive (for your company documents) and Calendar.

Privacy Risk

Former Google employee Martin Shelton alleges that files stored within Google’s G Suite have no end-to-end encryption as other Google services do, thereby potentially leaving business data vulnerable to being viewed by Google and by other persons such as Administrators.  Mr Shelton reports that:

  • While Google leverages your G Suite user data for e.g. filtering for spam, malware or targeted attack detection, it can also scan a user’s Google account for content that is illegal, or in violation of Google’s policies.
  • U.S. agencies can compel Google to hand over relevant user data from G Suite accounts to aid in investigations.
  • Business versions of G Suite, such as G Suite Enterprise, offer administrators the tools to monitor users and search device data within the G Suite domain thereby giving them remarkable levels of transparency to users’ (employees’) Google activities,  For example, Administrators can search for Gmail and Google Drive content, and metadata (e.g. dates, subject lines, recipients), and can log and retain this data.
  • Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, and more, from desktop and mobile devices and can receive push alerts for certain (suspicious) behaviours.
  • Administrators can use audit logs to see who has looked at or modified each document within the organisation.

Not The First Time

This is not the first time that Google has made the news over G Suite privacy.  Back in July 2018, The Wall Street Journal highlighted how third-party developers could view Gmail users’ messages.

What Does This Mean For Your Business?

This is clearly some unwanted publicity for Google, particularly when there is fierce competition in the business Cloud services market.

The advice for those worried about G Suite’s privacy and security suggested by former Google employee Martin Shelton is to use G Suite mindfully and give yourself a G Suite audit (Gmail, Drive, and Google-connected activity on mobile devices).  This way, if you can see certain data you can assume that the administrator and Google are likely to also be able see it.

Also, if you are concerned about unknown administrators seeing your G Suite data you could consider trying to identify who your G Suite administrators are, what G Suite version you have, whether your organisation is using G Suite Business or Enterprise, finding out what rules have been set in Google Vault and audit logs, and what policies exist for administrative data retention and access.

Mr Shelton also suggests that users may wish to find another cloud service provider that has end-to-end encrypted format to store any particularly sensitive data, or to simply keep data offline or off a computer entirely.

Food Writer Loses £5,000 in Phone ‘Simjacking’

Well known food writer, Jack Monroe, has reported falling victim to criminals who were able to steal £5,000 from her bank and payment accounts in a “Simjacking” attack.

What Is Simjacking?

Simjacking, simswapping or ‘phone hijacking’ involves criminals being able to port a person’s mobile phone number over onto on another SIM card. This is often carried out by criminals who, armed with the necessary personal data of an intended victim, go to a phone shop and pose as a customer who wants to switch to a different mobile provider but keep their existing phone number.

In some cases it may involve mobile operator or phone shop staff members being paid to carry out the crime.  One of the first clues that you may be a victim of Sjmjacking is when your phone suddenly stops working.

£5,000 Taken

In Jack Monroe’s case, the food writer said in a Tweet that her card details and PayPal information were taken from an online transaction which meant that when her phone number was ported onto a new SIM, the criminals were able to “access/bypass authentication” and therefore authorise payments from her account.  In another Tweet, Jack Monroe appears to imply that her date of birth may have been found by the criminals on Wikipedia.

With £5,000 being taken, Jack Monroe Tweeted that, despite being “absolutely absurdly paranoid about security”, not using publicly available email addresses on any financial accounts, using “gobbledegook” letter/number/special character passwords and having two-step authentication on all accounts, the criminals were still able to make purchases and withdraw cash using her account.

Jack Monroe Tweeted the amount taken, saying that the criminals had “HELPED THEMSELVES to around five thousand of them” (pounds). “Total figure not in yet. I’m so white-hot angry”.

Problem Not Addressed

The fact that the crime was committed against a celebrity and has been widely reported appears to have ignited discussion about an area that some feel the mobile industry may not have been addressing.

Mobile Connect – Alternative

The reports have also highlighted possible alternative mobile authentication systems that are available. One example is Mobile Connect, the GSMA’s secure universal log-in solution that matches a user to their mobile phone and is believed to represent a new standard in security.

What Does This Mean For Your Business?

The fact that simjacking is still quite a common crime, and not just in the UK, could highlight the fact that the mobile industry is not putting in enough effort and resources to eradicate the problem. In the UK, some commentators have called for an investigation by the Information Commissioner’s Office (ICO) to see if mobile operators are meeting their obligations to safeguard services and data under telecom privacy rules and GDPR.

The GSMA’s Mobile Connect secure login solution, if adopted and championed by mobile operators and banks, could be one way that the challenges of a lack of collaboration and standardisation have posed to security (such as the security problems and breaches that are at the heart of crimes like Simjacking/phone number hijacking) can begin to be tackled.

Thomas Cook Customers and Employees Targeted By Phishing Attacks

Security researchers at Skurio Ltd have warned employees and customers of Thomas Cook to be vigilant after it detected the registration of 53 Thomas Cook-related domains in the week after the travel operator went into receivership.

Phishing Risk

The risk is that cyber-criminals may be seeking to exploit a search for information from customers and staff affected by the company’s collapse to launch phishing attacks.  For example, Thomas Cook-related domains that have been registered but don’t have a holding page or landing-page on them could be used to create a legitimate-looking email address as part of phishing attempts.

German Site

One of the Skurio analysts, John Evans, reported finding a .de Thomas Cook-related domain that hosted a page that pretended to be a legitimate business, but was using the Thomas Cook likeness to make money from customer refund claims.

25% Just Piggybacking

The Skurio researchers found that 25% of the domains registered appeared to be just simply piggybacking off the collapse of Thomas Cook, and were using their domains to simply redirect to other websites.

Holding Pages + Advert Clicks

The researchers discovered that 50% of the recently registered domains had holding pages for websites on platforms like Wix or WordPress (awaiting a full live site).  Some other domains were discovered to be used for ad clicks and ad revenue e.g. with adverts for booking a new holiday or finding jobs for Thomas Cook employees.

Thomas Cook Contracted Skurio

Skurio were monitoring the Thomas Cook-related domain situation because (as reported by Skurio) Thomas Cook, had contracted Skurio, long before its collapse, to monitor surface, deep and Dark Web sources in order to provide early data breach detection services.  It was as part this service Skurio was scanning for new domain registrations relating to Thomas Cook services.   According to Scurio, this scanning involved looking for domains set up with subtle spelling errors or additional terms that a customer may expect to see, in order send phishing emails, create fake social media accounts or capture customer details online.

What Does This Mean For Your Business?

It is not uncommon for cyber-criminals to launch campaigns to take advantage of a popular information search by customers after events such as a high-profile security breach or company collapse.  This is because people may let their guard down and may simply not suspect such an underhand tactic, which is the kind of human error based on emotion that cyber-criminals are counting on.

Phishing attacks are all-too-common, and a recent APWG report showed that phishing attacks continued to rise in summer of 2019, with cyber-criminals focusing branded webmail and SaaS providers.

Companies can help guard against phishing attacks by educating and training all staff to be able to spot possible fraudulent tactics, and by encouraging and empowering them to question and refer any suspicious activity that could help to protect the business. Having clear systems for staff to follow, including carefully verifying any new payment requests before authorising them, and continuously promoting online vigilance can be well worth the effort in the fight against phishing, and the generally increasing number of social engineering attacks that companies are facing.

Local Authorities Facing 800 Cyber Attacks Per Hour

Figures gathered by insurance broker Gallagher – through the Freedom of Information (FoI) Act – have shown that UK local authorities were hit by an average of 800 cyber-attacks every hour in the first six months of this year.

Problem Could Be Bigger Than Figures Show

The figures, which were based upon the 203 (out of 408) local authorities that responded, showed that there were more than 263 million incidents in the first six months of 2019.  This could mean that even though 76 local authorities reported a cyber-attack between January and June 2019, the fact that only half of UK local authorities responded to the FoI request could mean that the problem may be proportionately much worse than even these figures show.

What Kind of Attacks?

Gallagher’s collected information shows that since the beginning of 2017, 17 of the attacks reported by respondents related to loss of data or money, with an average cost to the victim of around £430,000.  Gallagher’s figures also show that only 13% of councils have a standalone cyber insurance policy, meaning that most councils are risking potentially heavy fines under GDPR for any breaches.

Why A Target?

Local authorities and other public sector organisations are attractive targets to cyber-criminals because they hold large quantities of personal data and, perhaps due to a lack of funding and/or getting the most out of IT spending, they may be running older, less secure systems.  Also, they have a large number of employees who may lack education about an training in data and cyber-security.

Education A Target

Universities, colleges and schools are also targets for cyber-criminals because they tend to have large numbers of users spread across many different departments, different facilities and faculties, and data is moved between these, thereby making admin and IT security very complicated.  Also, universities have a lot of valuable intellectual property as well as student and staff personal data within their systems which are tempting targets for hackers.

Back in July, for example, Lancaster University, which offers a GCHQ accredited cyber-security course and has its own Cyber Security Research Centre was hit by a phishing attack, resulting in the leak of the personal data of new university applicants.  Also, in 2018, The Information Commissioner (ICO) fined the University of Greenwich £120,000 for a data breach that left the personal details of thousands of students exposed online.

A National Cyber Security Centre report recently revealed that the UK’s universities lost almost £150m from cyber-attacks in the first six months of 2018 alone.

Lost Mobile Devices

Lost mobile devices, many of which may provide access to cloud-based data, are also known to be a problem for government bodies.  For example, an FoI request in July by MobileIron found that government staff had lost 508 mobile and laptop devices between January and April 2019.

What Does This Mean For Your Business?

These figures make worrying reading, especially at a time when council budgets are very limited.  Local authorities are already facing serious decisions about what to prioritise in terms of investment, but GDPR and a duty to protect the privacy and security of local authority customers and staff should mean that data security is kept high up the agenda. Part of maximising the value of investments in data security for local authorities should include ensuring that training and software are put in place to enable a more proactive approach to attack prevention and that staff are educated about threats, and how to spot (and what to do with) suspicious communications by email, social media or other means.

Gallagher’s figures may also serve as a reminder to local authorities that it may be a good idea to make sure, in the light of the sheer number of threats (only one of which needs to get through), that they have a good cyber insurance policy in place.

Google’s Chrome To Block Mixed Content Pages Without HTTPS

Google has announced that in a series of steps starting in Chrome 79, all mixed content will gradually be blocked by default.

What Is Mixed Content?

Mixed content refers to the insecure http:// sub-resources that load into https:// pages, thereby creating a possible way in for attackers to compromise what appears to be a secure web page.  For example, this could be any audio, video, and images that are loaded insecurely from HTTP but appear as part of an HTTPS page when it loads.  Many browsers are already able to block other types of mixed content by default such as scripts and iframes.

Why Worry?

Mixed content from a non-secure source poses privacy and security risks and could provide a way for attackers to spread misinformation.  For example, an attacker could alter a chart to mislead viewers or could hide a tracking cookie in a mixed resource load.  Also, the mix of secure and insecure content in a page could confuse browser security UX.  Google’s own research shows that Mobile devices account for the majority of unencrypted end-user traffic.

What Does HTTPS Do?

HTTPS provides a secure, encrypted channel for web connections that can protect users against issues such as eavesdroppers, man-in-the-middle attacks and hijackers spoofing a trusted website. The kind of encryption offered by HTTPS stops interception of your information and ensures the integrity of the information that you send and receive.

Older hardware and software can pose a privacy and security risk because it often doesn’t support modern encryption technologies.

Progress

Progress has been made to make web browsing more secure with the move towards the full introduction of HTTPS, and Google is keen to point out that Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms.

Google now sees its next task as ensuring that HTTPS configurations across the web are secure and up to date.

Roll-Out In Steps

Google says that the roll-out of its blocking of mixed content will happen in a series of steps starting with the release of Chrome 79 (in December 2019) with its new setting to unblock mixed content on specific sites.  Next, Chrome 80 (due for release in January 2020) will auto-upgrade mixed audio and video resources to https://.  Chrome 80 will display a “Not Secure” chip in the Omnibox for mixed images.

What Does This Mean For Your Business?

The introduction of measures to display warnings about and to block mixed content will put pressure on some businesses to clean up their web pages and make it more difficult for cyber-criminals to find a way through browser security.  This is good news for businesses and web users alike.

It should be remembered, however, that secure websites with encrypted connections can still be harmed by certain cryptographic weaknesses e.g. due to external or related-domain hosts, so it’s important for businesses and individuals to keep up to date with software patches and fixes.

Worldwide Rollout of ‘Personal Vault’ OneDrive Security Features

Microsoft has announced that the ‘Personal Vault’ security features for its OneDrive storage service are now available worldwide on all OneDrive consumer accounts.

What Is Personal Vault?

Personal Vault is a protected area in OneDrive that can only be accessed with a strong authentication method or a second step of identity verification.  These methods include a fingerprint, face, PIN, or a code sent to the OneDrive user via email or SMS.

The idea of Personal Vault is to add another layer of protection to important files, photos, and videos e.g. copies of documents such as a passport, driver’s licence, or insurance information. Even though the new feature means that users must go through a verification process, Microsoft has stressed that it won’t slow users down and that they should still be able to quickly access their files on a PC, OneDrive.com or on their mobile device.

Protection Against Lost, Stolen, or Unauthorised Access

The Personal Vault security measures should mean that files are not being stored unprotected on a PC and have additional protection, even if the Windows 10 PC or mobile device is lost, stolen, or if someone gains access to it or to the user’s account.

Other Security Measures

In addition to the second layer of identity verification, Personal Vault also includes security measures such as :

  • Scan and shoot, which enables documents to be scanned or photos to be shot directly into the secure Personal Vault area rather than leaving them on a camera or unsecured device.
  • Automatic locking of the Personal Vault after a period of inactivity to protect against private files being left open accidentally.
  • BitLocker encryption on Windows 10 PCs, so that all Personal Vault files are synced to a BitLocker-encrypted area of the local hard drive.
  • Restricted sharing so that Personal Vault and shared items moved into Personal Vault can’t be shared.

Some Limitations

Personal Vault does come with some limitations. For example, users with OneDrive’s free or standalone 100GB storage plan can store up to three files in Personal Vault, and Office 365 subscribers can store as many files as they wish as long as this doesn’t exceed their normal storage limits.

What Does This Mean For Your Business?

For Microsoft Personal Vault, this is another step in its competition with its most popular competitor, Dropbox, which recently partnered with BetterCloud to help with it provide cutting-edge data protection and orchestration.

For businesses using OneDrive, these new security features should prove attractive, particularly when most businesses need safe, fast Cloud storage for mobile devices and work PCs, and need an easy, reliable and convenient way to store sensitive and personal files and data.

Police Auction Hacker’s £240,000 of Cryptocurrency

The £240,000 of cryptocurrency confiscated from a teenager who was jailed for hacking ISP TalkTalk has been auctioned by police with the proceeds going towards fighting crime.

TalkTalk Hack

Elliott Gunton, (now 19) was jailed for 20 months in August this year for hacking offences, money laundering and for the breach of a Sexual Harm Prevention Order that was issued to him in 2016 for another offence.  The hack on ISP TalkTalk took place when Gunton was 16 years old, and he is reported to have sold the stolen customer data on the dark web to other cybercriminals for £2,469 in bitcoin.

The total amount that police were able to trace that was raised by sales of the stolen data was around £275,000 worth of cryptocurrency, including Bitcoin Ripple and Ethereum.

Hidden

Mr Gunton is reported to have used sophisticated methods to hide the large amount of cryptocurrency under his control but left several key clues which led to his arrest.  These included describing himself on a Twitter account as a “full-time crypto trader”, tweeting about how he had lots of money without people knowing, and telling a police officer that he was dealing in shares and would soon be a millionaire.

Parents

Mr Gunton’s parents were also charged (at a later date) with helping their son to move some of his cryptocurrency, earned from dark web sales, out of a seized police-bitcoin wallet.

Auction First

The auction of the cryptocurrency, via Wilson’s Auctions, by the Eastern Region Special Operations Unit of the police was the first auction of its kind.  Chief Inspector Martin Peters, of the ERSOU Cyber Crime Unit, is reported as saying that the sale would be a way to instil public confidence in the police force’s method of recouping the proceeds of crime in a way that was secure, innovative and transparent.

What Does This Mean For Your Business?

We often hear reports about hacks and dark web sales of data but we rarely hear about convictions or about what happens to the proceeds of crime for those hackers who have been successfully convicted. For many businesses and individuals who have fallen victim to cybercriminals, a report of this kind may offer some kind of reassurance that something is being done, and in a productive way that puts more money into fighting crime.

For those victims of the TalkTalk hack, who may well have been targeted by cybercriminals after having their details stolen and sold by Gunton, they may well have wished for tighter security by TalkTalk in the first place and may hope that ISPs are investing enough of their own money in keeping their cyber defences up to date.