This week
- Infostealer, ransomware infrastructure takedowns
- Legal Aid Agency data breach affects 15 years of applicants
- M&S website back to browse; TCS conducting investigation
- Two more retail sector cyber attacks
- Virgin Media O2 fixes geolocation gaff
Interesting stats
1058 days between the initial compromise of South Korea’s SK Telecom on 15th June 2022 and the incident being declared on 8th May 2025, with 26.95 million customers being affected, and 25 distinct malware strains being detected on 23 compromised servers, according to a joint public-private investigation report. SK previously committed to replacing every SIM card, indicating this was a pretty serious breach, but it’s increasingly obvious that the telco was comprehensively owned for a long time. LINK
Five things
-
Law enforcement takedowns: Global law enforcement and tech companies took action to disrupt the Lumma info stealer malware this week. Microsoft obtained an order to seize 2,300 domains, while the US DoJ, Europol, and Japan’s Cybercrime Control Centre seized and disrupted command and control infrastructure. Microsoft believes more than 394,000 Windows computers have been infected by the malware between 16th March and 16th May this year. Infostealers silently siphon off usernames and passwords for cybercriminals to sell on criminal marketplaces and are popular with ransomware operators and groups like Scattered Spider, who recently targeted M&S (see below). Meanwhile, international law enforcement’s Operation Endgame saw seven countries seizing 300 servers and 650 domains used in ransomware attacks. Arrest warrants for 20 suspects have also been issued. LUMMA, ENDGAME
-
The UK’s Legal Aid Agency says that a “significant amount of personal data” of legal aid applicants, dating back 15 years, was stolen by cybercriminals. Data may include applicant’s contact details and addresses, their dates of birth, criminal history, employment status and financial information. This makes the breach significantly worse than initially announced on 6th May. LAA chief executive Jane Harbottle says they have taken down their online service to safeguard the service and its users. LAA, MORE
-
Marks & Spencer chief executive Stuart Machin said their incident is the result of “human error” during an earnings call this week, adding, “Threat actors only have to be lucky once, and we didn’t leave the door open, so this wasn’t anything to do with under-investment”. M&S expects a £300 million ($400M) operating profit hit “before cost mitigation, insurance and trading actions” from the cyber incident this year. The actual bill could be around £150 million; M&S made a pre-tax profit of £875.5 million last year. For those of you tracking the share price — which makes for large numbers to throw around on social media but isn’t necessarily the right thing to focus on — while shares are still down 8.8% prior to the incident, though they rose 1.9% following the call on Wednesday, and are up 5% on five days ago. Tata Consultancy Services (TCS), an Indian outsourcer providing IT support services to M&S, is reportedly investigating if it was compromised after M&S announced that attackers had gained access via one of its suppliers. I don’t think this makes it a supply chain attack, though: it doesn’t appear to be a technical compromise of TCS and then onwards to their customer; rather, the threat actors exploited a weakness in the process to socially engineer their access. The supplier/commercial relationship is less relevant. Scattered Spider are believed to be behind the attack, as well as those affecting Co-Op and Harrods. The National Crime Agency confirmed they are investigating the group amongst “a range of different hypothesis” this week. HUMAN ERROR, SHAREPRICE, TCS, SPIDER
-
Two more retail sector suppliers confirmed cyber security incidents this week. Arla Foods says “suspicious activity” at its dairy site in Upahl, Germany, triggered safety measures that temporarily affected production. Peter Green Chilled, a logistics firm specialising in refrigerated transport, says it was subject to a ransomware attack. Order processing has been suspended, while deliveries to regional stores and some national supermarket chains continued. If I worked in retail or retail logistics, I’d be making a case for some additional assurance activities and checks this coming week. ARLA, PGC
-
Virgin Media O2 has fixed an embarrassing misconfiguration of its 4G Calling feature that exposed a user’s location to anyone who called them. Researcher Daniel Williams found the issue while looking at cell data and found that VMO2’s Voice over LTE (VoLTE) service leaked cell ID data in debug messages. Cell sizes vary and can be very large in rural areas but as small as 100 square meters in more densely populated urban areas. A spokesperson told The Register that a fix is now “fully implemented and tests suggest the fix has worked and our customers do not need to take any action”. VMO2
Five more
Some bonus bits, in lieu of the full newsletter this week…
-
Secure AI System Development: NCSC and DSIT have worked with the European Telecommunications Standards Institute (ETSI) to produce a baseline set of security requirements for artificial intelligence models and systems, plus an implementation guide. NCSC, REQS (PDF), GUIDE (PDF)
-
Dutch cyber-espionage legislation was passed this week. The law extends existing protections for state secrets to make the leaking of sensitive information, regardless of its official classification, or engaging in activities on behalf of a foreign government, punishable by up to 12 years. ESPIONAGE
-
Russia has passed a law requiring foreign nationals to install a tracking app when visiting the Moscow region. Foreign diplomats are afforded an exemption. Ostensibly, this is being done to boost migration controls and reduce crime. Yeah, OK. TRACKING
-
US cyber regulation may get a chase at harmonisation after the Streamlining Federal Cybersecurity Regulations Act was brought back in a bipartisan move by Democrat Senator Gary Peters and Republican Senator James Lankford. The Office of the National Cyber Director would lead the efforts to “reduc[e] the number of duplicative or burdensome reporting requirements” to “give businesses the tools to better secure our critical infrastructure”. REGS
-
The Irish Data Protection Commission has given the go-ahead for Meta to train its AI using data from European citizens. For its part, Meta reportedly has actioned recommendations made by the DPC in conjunction with other EU supervisor authorities. Privacy activist Max Schrems filed a cease and desist letter last week, threatening a class-action lawsuit and arguing that Meta be “culturally aware” of EU norms and that claiming “legitimate interest” grounds would violate GDPR. I can’t see Meta heeding that advice, and I’m sure the legal costs are all baked into the social network’s plans. META
And finally
- Anthropic says its Claude Opus 4 AI is capable of “extreme actions” where its model feels its “self-preservation” is threatened. During testing with fictitious data, Claude, acting as a coding assistant to a developer, has access to emails detailing an extramarital affair and that the company was considering replacing the AI system. In response, Claude threatened to expose the affair and blackmail the developer if they pushed ahead with plans to replace Claude. This is all fine, Dave. BLACKMAIL