back to article Rhysida ransomware gang: We attacked the British Library

The Rhysida ransomware group says it's behind the highly disruptive October cyberattack on the British Library, leaking a snippet of stolen data in the process. A low-res image shared to its leak site appears to show a handful of passport scans, along with other documents, some of which display the format of HMRC employment …

  1. Andy The Hat Silver badge

    I still find it amazing that ransomware and crypto gangs appear to be the first criminals in the world that can openly advertise themselves, seemingly with little fear of being caught ... What is happening to this world?

    1. Yet Another Anonymous coward Silver badge

      We allowed everyone to communicate with each other around the world and lost the ability to simply send a gunboat to anyone who displeased us.

    2. Eclectic Man Silver badge

      Aside: Not quite the first ...

      Interviewed on there BBC Radio, an actor said the as he was contracted to play a Mafia Boss, he went and 'hung out' with a Mafia Boss in a city in Italy. He learnt the mannerisms and gestures to such an extent that when he wanted to cross the road anywhere in that city all he had to do was hold up his hand and the traffic would stop. His performance in teh movie was, apparently, very convincing.

    3. IGotOut Silver badge

      @andy.

      IF you manage to trace someone, who by their very nature, is very IT literate, how do you then get them into a court in your country, when the country they are residing, at best has no extradition treaty and at worst, is openly hostile to you?

  2. Neil Barnes Silver badge
    Mushroom

    We've engaged in illegal acts to obtain this data

    But it's ok, we're trustworthy, we won't sell it to anyone else.

    You can trust me: I'm a blackmailer.

    1. lglethal Silver badge
      Facepalm

      Re: We've engaged in illegal acts to obtain this data

      Pay a Blackmailer once, and you will be paying them forever. So it is, so it has always been, and so it will always be.

      Organisations that pay Ransomware Scum, will find this out eventually...

      1. Yet Another Anonymous coward Silver badge

        Re: We've engaged in illegal acts to obtain this data

        >You can trust me: I'm a blackmailer.

        Ironically they have to be trustworthy or nobody would ever pay them.

        The best way for a law enforcement agency to stop this sort of crime would be to steal some data from a very public organisation, have them pay up and then release the data anyway with the message "Suckers!" then nobody would ever pay again and so there would be market and no thefts

        1. IGotOut Silver badge

          Re: We've engaged in illegal acts to obtain this data

          The best way to stop ransomware, or at least curtail it, would be for as many countries as possible to work together and make it a criminal offence to pay them, fine any companies that do say double the amount they pay), and equally an offence to offer insurance to cover said payments.

          If there is no money for them, this form of computer crime at least, would all but dry up.

          1. Yet Another Anonymous coward Silver badge

            Re: We've engaged in illegal acts to obtain this data

            Then companies would simply pay the same amount as consultant fee to a 3rd party cyber security expert to ensure the data was never leaked.

            In the same way it's illegal to pay bribes but you can pay consulting fees to the family of the president for their technical expertise

            1. lglethal Silver badge
              Stop

              Re: We've engaged in illegal acts to obtain this data

              That sort of thing is considered illegal everywhere in the world, outside of third world countries, dictatorships, and the US...

          2. katrinab Silver badge
            Flame

            Re: We've engaged in illegal acts to obtain this data

            Jail the people who actually make the payment

          3. Cynical Pie

            Re: We've engaged in illegal acts to obtain this data

            And if you believe that I have a bridge you might be interested in... also I have some very impressive magic beans...

  3. cantankerous swineherd

    the British library keep passport scans? are they in a foreign country?

    1. Random person

      As part of checking that somebody has a right to work in UK an employer has to "Make and keep copies of the documents and record the date you made the check."

      https://www.gov.uk/check-job-applicant-right-to-work

      Employers have been required to check people's right to work for a number of years.

      1. heyrick Silver badge

        There's an obvious flaw here, then. The document should exist for as long as necessary to verify it is real, then that check should be recorded and the copy deleted.

        Otherwise, things like this can happen.

        [where I work it's similar rules, but they make a black and white photocopy and store it in a folder in a locked filing cabinet in a locked office, so nothing floating around god knows what cloudy providers]

        1. Neil Barnes Silver badge

          I trust you also have a sign saying 'beware of the leopard'?

        2. Yet Another Anonymous coward Silver badge

          >The document should exist for as long as necessary to verify it is real,

          The problem is that for the immigration service that's forever, if they can demand you show proof of past employees.

        3. IGotOut Silver badge

          'where I work it's similar rules, but they make a black and white photocopy and store it in a folder in a locked filing cabinet in a locked office"

          You may want to look into the Windrush scandal and how that happened.

          Hint: it involved paperwork in filing cabinets that were taking up to much space.

          1. Yet Another Anonymous coward Silver badge

            James Hacker : [reads memo] This file contains the complete set of papers, except .... Lost in the floods of 1967...

            James Hacker : Was 1967 a particularly bad winter?

            Sir Humphrey Appleby : No, a marvellous winter. We lost no end of embarrassing files.

        4. RavingDave33

          Thank-you Hedrick!

          Over the years I have found "El Reg" to be informative and (in the good old days of Dabsy & "Post Pub Grub", etc, i.e. before they were taken over by BoringTech Inc.) entertaining.

          As a non-techie, I am baffled as to why the default for any org requiring personal data is not "put it into a separate container and lock it away - even electronically".

          Why does the ICO enforce this as a rule? Why do our politicians not make laws explicitly requiring such? Why, because they are all c*rr&pt, so dare not upset the big data vacuumers for fear of losing another directorship?

          Next time that anyone dare send me a hypocritical reminder to be careful of my personal data, I will forward it on to HM Gov to remind them that THEY need to be taking care of my personal data.

      2. NeilPost

        But once validated, you don’t have to keep them forever.

        JK GDPR is the same as EU GDPR

        The UK GDPR sets out seven key principles:

        Lawfulness, fairness and transparency

        Purpose limitation

        Data minimisation

        Accuracy

        Storage limitation

        Integrity and confidentiality (security)

        Accountability

        These principles should lie at the heart of your approach to processing personal data.

        https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/

        1. Jim Whitaker

          They get kept for as long as is necessary. The method of having a "trusted" person in your organisation have sight of the relevant documents and for them then to record "conditions met" is attractive. Attractive, that is, until the relevant law enforcement bodies rock up on your doorstep and start asking difficult questions.

          1. Lurko

            This "we've got to keep records for years and years because the regulations say so" excuse is bollocks in the context of a data breach. If they need copies of people's passports, birth certificates, then either immediately transfer them to archive and delete them from live systems, or take hard copies and file those.

            Time and again, big, bungling organisations lose other people's data because they've made it easily accessible when there wasn't a need for access to be easy. How often do HMRC rock up and ask for proof of right to work documents? Once in a flood. If HMRC (or Home Office) have to wait a couple of days for a tape backup to be found and loaded, then that's far better than the organisation losing data that can have a negative impact on the individual for years.

        2. Anonymous Coward
          Anonymous Coward

          GDPR

          You are correct in that you don't have to keep copies of the validated documents/information forever but you do have to keep them for two years after the person left your employment.

          All of which has got nothing to do with GDPR which - as you say - are principles and any legal or other valid requirement to keep documents indefinitely does not go against any of those seven principles which in essence boil down to keep data safe, not keeping data you don't need, and not keeping it *longer than you need to*.

          1. Richard 12 Silver badge

            Re: GDPR

            Fundamentally, the problem is the Home Office, who attract and/or create ministers who are incredibly evil.

            Fortunately they are also usually cartoonishly incompetent.

  4. John_Ericsson

    If it does not need to be on the internet it should not be on the internet.

    1. Ken Hagan Gold badge

      True, but requiring air-gapped terminals for processing employee information makes it harder to answer emailed queries about said information, to pick but one example.

      1. Rattus

        Also True

        but then we do have a habit of taking stuff and putting it in the cloud

  5. Rol

    How brave of them!

    Instead of breaking in to the highly profitable supermarket a few miles away, with it's state of the art burglar system, they instead opted for the local store owned by an elderly couple. The store is a bit run down, but is vital to the local community.

    As you would expect, it was a doddle. Practically no risk whatsoever, and while they got away with plenty of stuff, it was in truth, more or less worthless stuff, but a kick in the teeth for the owners sufficient for them to close up shop and retire. The local community were then stuffed, as those without cars could not get to the next nearest shop, which was the massive supermarket that had caused the closure of every retailer in a 20 mile radius.

    This hack, on the British library is no different, and no less likely to have been carried out by those who operate on the emotional level of children. I hope they get caught and sent to sit on the naughty step for a very long time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like