Almost a week on, victims of the cyberattack carried out by Russian cybercriminal gang Clop continue to be revealed.
The data was stolen by the hackers exploiting a vulnerability in the MOVEit file transfer tool, either used by the companies themselves, or by UK firm Zellis, which provided payroll services to some of the firms.
Here’s the latest on what we know: On Thursday night the US Cybersecurity and Infrastructure Security Agency told CNN that several US federal agencies have also experienced intrusions in their networks due to the Clop cyberattack.
In the UK, it is now known that confidential personal data pertaining to tens of thousands of employees working for the BBC, Boots, British Airways, Shell, Aer Lingus, EY, and Ofcom has been stolen, as well as data relating to 13,000 drivers on Transport for London’s Ulez and Congestion Charge databases.
In the case of the BBC, the hackers now have access to full-time, freelance, past and present employees’ data, specifically their full names, date of birth, the first line of their address, and their National Insurance numbers.
However, according to Recorded Future News, the type of confidential data taken differs from organisation to organisation.
Clop promised on its website on the dark web that it would begin releasing data dumps relating to its victims on June 14 for anyone to download if victim companies did not contact it to negotiate a ransom payment.
Global cybersecurity firm ReliaQuest previously told The Standard that there were potentially so many victims that the hackers would have to sift through a whole “treasure trove” of data and that the gang would likely go after large organisations that have the money to pay.
So far, on Thursday, Clop has named 27 victim organisations, which include US, Canadian, Dutch, and Swiss financial institutions, universities, insurers, and manufacturers. But the gang has not yet leaked any of their data on its website, according to ReliaQuest.
Victims should take action now
While we hope that Clop will not release private data relating to UK victims, the sad reality is that the hackers might have already shared valuable customer data with other cybercriminals.
According to David McClelland, resident technology and telecoms consumer champion on the BBC’s Rip Off Britain TV series, being forewarned is forearmed.
It is The Standard’s and Mr McClelland’s position that cyberattack or data-breach victims should expect their data to have already been compromised.
It is untrue that hackers are not interested in going after individuals — like this BBC article claims — hackers make a lot of money by selling data to other cybercriminals, who can perform social-engineering attacks impersonating you to service providers.
I do feel that consumers are being let down by mobile network operators who are letting fraudsters through the front door
One very popular social-engineering attack is sim swap fraud — when an attacker rings up the customer service call centre for a mobile network and pretends to be either you or a third party company that typically works with a mobile network.
The attacker impersonates you and tries to convince your network provider that you need a replacement Sim card for your phone. Once they have the replacement sim card, they can take control of your mobile number and potentially use it to access any one-time pins or multi-factor authentication codes sent by your bank and other online services.
“Given the volume of sim swap fraud victims that have come forward and continue to come forward to us [on Rip Off Britain], there is definitely a problem here. Another one of the problems is, very often, we don’t know how the scammers were able to get through that line of defence — the customer agent at the call centre,” explains Mr McClelland.
So what should you personally do now if you are an employee who has been notified that your data has been compromised by a cyberattack or data breach?
Stay calm and follow these steps:
1) Apply for Cifas protective registration
The Standard has been advised that the best thing to do if you are worried your personal details have been stolen is to apply online for a protective registration from UK non-profit fraud prevention service Cifas.
When you request protective registration, a warning flag is placed against your name and other personal details in the Cifas National Fraud Database. This tells any organisation that uses Cifas data to pay special attention when your details are used to apply for their products or services.
Knowing you’re at risk, they’ll carry out extra checks to make sure it’s really you applying, and not a fraudster using your details.
The service is not free — you have to pay an admin fee — but it does not affect your credit rating in any way and you can continue to apply for credit as usual, including store finance like pay in three.
The only difference is that when you apply for a loan, there are more checks just to verify your identity.
2) Inform your mobile provider and your bank
When sim swap fraud occurs, there are several warning signs, according to Natwest:
- You lose the ability to make calls or texts
- You are notified that your phone is being used elsewhere
- Your login credentials for online banking and other services no longer work
But you don’t want to wait for this to happen. Be proactive — ring up your mobile provider and your bank now, tell the automated service you want to discuss “security”, and inform them that you have been the victim of a cyberattack or data breach and what information has been taken from you.
To make sure you ring the right call centre for your bank, dial 159. The Stop Scams UK service will put you through to genuine call centre numbers.
To contact your mobile provider, go to the Contact Us page on the official website for your mobile network and do what it says.
“I spoke with a victim of sim swap fraud last year whose phone went offline on a Sunday. Often this [attack] happens at inconvenient times, like Sunday evening when call centres are closed, so the victim can’t get in touch with the mobile operator to report it for several hours,” Mr McClelland tells The Standard.
“She tried to get in touch with her mobile operator on the website Live Chat chatbot the next day and it was confused, because it seemed to have a record that she’d asked for a new sim. Then she started to look at her bank accounts, and she saw transactions both coming in and going out.
“Our mobile are the keys to unlock all the different parts of our online and financial lives.”
3) Ask your mobile operator and bank what they do to protect you from fraud
Now you know how sim swap fraud works, ask the security department at your mobile operator and bank how they will protect you if someone does ring them up impersonating you.
Lloyds Bank and HSBC both confirmed to The Standard that they ask all customers to record a Voice ID clip for additional security.
“Voice ID analyses over 100 different characteristics of a voice which, like a fingerprint, are unique to the individual. This includes how someone uses their mouth and vocal chords, their accent, and how fast they talk,” a Lloyds Bank spokeswoman said.
All the banks we spoke to mentioned that they had multiple 24/7 security and monitoring technologies in action that they couldn’t discuss. However they would also be asking a selection of security questions to anyone who rings up to verify their identity.
And remember most importantly — neither your bank nor mobile operator will ever ring you up or ask for any payment details on a Live Chat chatbot.
“Think before answering any unknown phone calls or replying to emails from unknown senders. Hackers using emotive tactics are often overly persuasive in requesting information, as they can use this tactic to commit their cyberattack,” Steve Wilson, senior director for north Europe at antivirus software firm Norton said.
O2 told The Standard that if a customer calls and orders a sim card to a new address, they have to pass security and also enter a one-time authorisation code (OTAC) which is sent via text to the phone number connected with the account.
“Even if a fraudster was able to pass the first stage of security due to their personal data and password being compromised in a data breach, without entering the correct OTAC number or attending in-store with matching photo ID, they would not be able to proceed with ordering a new sim to a new address,” an O2 spokeswoman said.
Importantly, if you receive an OTAC code by text and suddenly someone unexpectedly rings you up and asks you what it is, do not read it out to them.
You should only give it to the customer service representative whom you call from your mobile phone.
The Standard asked EE, Three, and Vodafone how they prevent scammers from tricking their call centres. None of the mobile operators replied in the seven days they were given to respond.
“I do feel that consumers are being let down by mobile network operators who are letting fraudsters through the front door,” said Mr McClelland.
“All too often, it’s the victims of fraud who appear to be being blamed.”
4) Swap to an authenticator app
Rather than have one-time codes sent via text message to your phone when you do two-factor authentication, it is a good idea to use an authenticator app for online services and your webmail.
“Instead of using SMS-based authentication, I recommend using an authenticator app like Google Authenticator or Authy. This will make your account immune to sim swap attacks. Unfortunately, such alternatives are not as widely available as SMS and email authentication,” said Paul Bischoff, consumer privacy advocate at Comparitech.
5) Change all your passwords
Even if you think your passwords are hard to guess, change them all again anyway.
And make sure that none of the passwords correspond to any private information about you, such as your date of birth, the name of your pet, your mother’s maiden name, or home town — all things hackers can find out about you on social media.
Most importantly, put some numbers, some capital letters, and at least one symbol in your passwords.