CyberWire Daily - Due diligence cannot be done as a one-off. [Research Saturday]
Episode Date: June 6, 2020Earlier this year, a Virgin Media database containing the personal details of 900,000 people was discovered to be unsecured and accessible online for 10 months. The breach was discovered by researcher...s at the security firm TurgenSec. This breach had major implications under GDPR. Joining us in this week's Research Saturday are George Punter and Peter Hansen from TurgenSec to talk about the discovery of the breach. The research can be found here: Virgin Media Disclosure Statement & Resources Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We can't say too much about the exact process we used to find this,
as Virgin Media was part of a much larger collection of breaches that we're currently processing.
Our guests are George Punter and Peter Hansen from Turgencec
on their research that led to the discovery of the Virgin Media breach.
of the Virgin Media breach.
One of which was the recent legal breach,
193 law firms, I'm not sure whether you guys heard of that one,
but that's been in the news a bit recently.
That's Peter Hansen.
More or less just scanning open servers in a particular way,
I would say.
And when you get a hit, when you discover something that you think may require a little more of your attention,
what's that process like? What happens next?
Yeah, so we have a set of policies and processes.
So the first step, in accordance with the flowchart that we have,
is that we document IP colon port colon date in a
table. And then from this table, once it's been populated a certain amount, we'll have someone
go through it and assess the priority. Obviously, not all breaches are equal, and we want to get to
the ones that are most serious first. The first step on that is examining the immediately visible
data, deciding whether it's government data or not.
Because obviously, if it's government data, it's not something that we can touch.
And we just need to report that to the NSSC at that point.
And then from there, basically, we've got this whole huge process, pretty much, of a logic flow for understanding how to deal with it.
Because obviously, it's a different process
depending on the specific circumstances with each one.
Because obviously you have government data,
but you also have corporate data versus individual data.
So these different types need to be processed in different ways.
Yeah, and just for our listeners,
I'm looking at quite an elaborate flowchart here of responsible disclosure.
I mean, what are the overall principles here that you're following when it comes to responsible disclosure?
So we have another document for just that.
Of course you do.
Yeah, we've been very careful to do this in a way that we don't get sued.
So the overall points on the policy, we have a list of primary objectives here.
So first one, lawful timely discovery of data sets containing personal information
being one of the first points.
Then the protection of rights of individuals being the second.
Timely and consistent communications with the organisations found to be suffering from the data breach.
Then the application of fair and ethical standards,
the balance of the rights of individuals and organisations.
So whether we prioritise protecting individuals where individual data is breached
or prioritise protecting organisations.
Because obviously there's a bit of an interesting question here
whether when you're causing damage to organizations you're
actually causing more damage to individuals. So say for example with the Virgin Media breach
Liberty Global shares took a pretty huge hit after the disclosure as well as the I'd imagine
what will come through eventually in the ICO fine as well. So it's a question of how much, how do you balance the likelihood of damage to the individuals
against the damage that will be done to the companies?
Because obviously we don't want the companies to suffer in a way that forces them to lay people off.
Then the next one would be encouraging organisations to be transparent
and the adherence to the letter and spirit of the legislation
protecting personal data and the rights of individuals
are the main points that we operate on.
Yeah.
So there was one you missed there, Peter,
which is adherence to the letter and spirit of legislation.
That's George Punter.
And when we say that, we mean GDPR legislation, which has
quite a strong spirit with the GDPR legislation, which a lot of people might not know is that it
is quite, it's not laid in stone and it's built upon acting within the spirit and the principles
of GDPR. And so we seek to address that as well.
Now, when you come upon something like you did with Virgin Media, where I suppose fairly quickly
you knew that you had something significant. What is the process that you go through there
in terms of reaching out to Virgin Media themselves? And if you could give us a little
bit of play by
play as to how it worked in this case. Okay, so we contacted their DPO, Peter Hansen. And it wasn't
actually me or George that was the person handling this exact set of communications. I believe their
chief cybersecurity officer got back to us. Overall, Virgin Media were pretty responsive in the first instance.
They did a pretty good job overall.
Yeah, I believe the response and the database being closed
was within 10 minutes, which was very impressive.
Wow.
Yeah, yeah, it was very, very good.
It got referred up to Liberty Global after that.
And I think they did everything was everything was they did everything right more
or less up to the point of perhaps the statement I think the biggest thing that really skewed
things I think was the FT approaching a senior member of Virgin Media and asking him so like
basically jumping on him and saying have you had had a data breach? And then publishing based off that because they were forced to act quite quickly.
Yeah. If I could just say something.
George Punter.
Which is that it's typical with these companies that they would seek to underplay the extent of breaches.
And this happened a little bit with the rushed Virgin Media response, but they quickly corrected that.
And overall, we're quite happy with the way Virgin Media played out. quickly corrected that and overall we're quite
happy with the way Virgin Media played out they cooperated with us aside from
the little hiccup at the beginning which is kind of it's I wouldn't say it's
typical with our experience we've been threatened before we've been told that
we're spammers and most recently with the legal breach you of course have advanced software who are
it seems refusing to come clean and in the end it only makes it look worse for them
we think to be honest if you're not transparent and upfront from the beginning
it just begins to look worse and worse as the
story develops now there there was a point um where you all took issue with uh some of the ways
that virgin media was describing the breach itself in terms of the the types of information that was
released and the severity of that uh you all had a post on your own website where you all thought the severity was perhaps more significant
than what Virgin Media was making it out to be.
Yeah, so the overall point there, I guess, was that they didn't have as much time to go through it necessarily
as potentially even we did when we were triaging.
So when the FT jumped on the executive figure at Virgin Media
and said, basically, has this happened?
They had to roll out a statement super, super fast
in response to what the FT were writing.
And they did get a forensics organization involved to help them.
But I don't think that was even fast enough still, because obviously the timescale they were working
with was super, super tight at that point. The overall vibe with any of these disclosures is
that companies don't want to overstate. So they play it on the safe side. The key point, I guess, from us was the customers being linked to porn, I guess.
And this has to do with customers being able to make requests for certain types of content that they either want blocked or unblocked.
Yes.
Gotcha.
Now, can you take us through, describe for us actually what the issue was here in terms of this data being exposed to the internet?
What had Virgin Media failed to do here?
Yeah, I think what I would say is usually with these things, it's never a technical thing that's gone wrong.
It's usually a process error.
So whilst it's very easy for someone to make a configuration error
or something like that,
and the issue is process mainly,
and especially supply chain security as well.
Now, in your responsible disclosure program here,
do you give the organizations a certain amount of time
before you go public with them?
Yeah, absolutely.
Yeah, so we have a whole timeline document for that.
And we strongly encourage organizations to work together with us on a statement.
So this is what happened with Virgin Media.
We were actually in the process of working on a statement with them together,
but then it was leaked to the Financial
Times before we could finish that process and we were a little bit ambushed but aside from that we
were cooperating with them on making a statement together and that's what we aim to do with with
all of these breaches with advanced they explicitly stated that they did not want to work with us,
and we have not seen that turn out very well.
Yeah, and so I would say, I mean, in general, from a broader point of view,
what are your recommendations for organizations to better protect themselves against this sort of thing?
I would say have a systemized process for assessing the cybersecurity capabilities of their suppliers.
Also to understand that due diligence is not something that can be done as a one-off.
So organizations change and let's say you're taking on a new supplier.
You can do due diligence on them before they are holding your data.
But you also need to do it afterwards as well, especially given that in many cases,
they'll actually be expanding their systems to account for adding you in, if you get what I mean.
Have you seen any shifts since GDPR came into effect? Have organizations gotten better with this? Are they giving it better attention?
I think probably overall. I haven't got any stats to back this up.
Probably overall. I haven't got any stats to back this up.
I would suggest that the more the ICO can do its job, the more the National Cyber Security Centre can do their job,
the more painful it will be for corporations to mistreat data and the more they will handle it properly.
I mean, ultimately, the only thing that any of these big businesses care about is money.
So obviously, if it's in their financial interest to look after data, then they will do it. Also, along with that, we're hoping that through our responsible disclosures through breaches.uk,
that by raising publicity over these breaches and the extent of these breaches and notifying
the people who are involved in these breaches and letting the people who've been involved
in the breaches know if and how much compensation they might be due because there is actually precedent for
receiving compensation if you're involved in a data breach which most people aren't aware of.
We hope by doing those things we can provide some level of accountability
of accountability to the organizations and also a financial incentive
to handle people's data more carefully.
Because if it comes out in the press,
people find out about it,
or if they get class actions against them,
they're going to start paying attention.
What sort of advice do you have for the organizations
who find themselves in the
middle of something like this? If they find themselves in the midst of some sort of data
breach like this, what's the best way for them to handle it, to have the least amount of
reputational damage as they go? I would say the best thing you can possibly do is to work
closely with the people who are disclosing to you, they're ultimately they're not out to they're out to do you harm if they were they wouldn't be talking to you
i'd say the best thing the best thing is talk talk to the people making the disclosure
understand what what it is that their process is and just work with them work with them to the end
of the earth i guess because uh ultimately that that's the that's the almost like an independent assurance on anything that they produce.
Another thing I would say is from the outset, react quickly, take it seriously,
be open and transparent about the full extent of the breach
and also be open and transparent about all of the internal investigations
and practices that you're putting in place
after the breach has happened. I think in some cases, good crisis management can often,
after a breach, improve consumer confidence because a lot of people realize that data
breaches are inevitable. And it's really the response of the company to a data breach,
which can like separates the wheat from the chaff in a way.
If you respond quickly, let all the right people know,
be completely open about what you're doing,
how you're going to prevent it from happening again,
then I think you can really win
or at least
not lose the trust of your customers after a data breach.
Yeah, one thing I would say is, as an example, we rang up, or I personally rang up somebody
recently, just the other day actually, to disclose one of these huge breaches, something
that's actually, in terms of the number of people impacted, significantly larger than
Virgin Media.
that's actually, in terms of the number of people impacted,
significantly larger than Virgin Media.
And I asked this guy who was responsible whether he'd be prepared to give me an email address
so we could format all the stuff and send it through to him
to help him understand what happened.
And he told me that he didn't have an email address,
which was just great, really.
How could that be?
Yeah, well, I don't know.
Yeah, you should send him an email, Peter.
We found his email addresses anyway, don't worry. Yeah, I mean, I suppose I can understand the impulse to sort of hunker down and try to protect yourself when you're trying to figure
out what's going on. But at the same time, you don't want to be adversarial with the folks who are coming to you,
presumably with helpful information.
Yeah, I mean, in the case of a data breach,
if someone's coming to tell you it's happened,
then they're definitely on your side
because there's a lot of places they could go,
which doesn't involve incurring risk to themselves.
It's like shooting the messenger in a way.
incurring risk to themselves.
It's like shooting the messenger in a way.
Our thanks to George Punter and Peter Hansen from TurgeonSec for joining us.
We'll have a link to their research in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. The Cyber Wire Research Saturday is proudly produced in Maryland Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, And I'm Dave Bittner.
Thanks for listening.