I still find it amazing that ransomware and crypto gangs appear to be the first criminals in the world that can openly advertise themselves, seemingly with little fear of being caught ... What is happening to this world?
Rhysida ransomware gang: We attacked the British Library
The Rhysida ransomware group says it's behind the highly disruptive October cyberattack on the British Library, leaking a snippet of stolen data in the process. A low-res image shared to its leak site appears to show a handful of passport scans, along with other documents, some of which display the format of HMRC employment …
COMMENTS
-
-
Monday 20th November 2023 17:50 GMT Eclectic Man
Aside: Not quite the first ...
Interviewed on there BBC Radio, an actor said the as he was contracted to play a Mafia Boss, he went and 'hung out' with a Mafia Boss in a city in Italy. He learnt the mannerisms and gestures to such an extent that when he wanted to cross the road anywhere in that city all he had to do was hold up his hand and the traffic would stop. His performance in teh movie was, apparently, very convincing.
-
-
-
Monday 20th November 2023 17:20 GMT Yet Another Anonymous coward
Re: We've engaged in illegal acts to obtain this data
>You can trust me: I'm a blackmailer.
Ironically they have to be trustworthy or nobody would ever pay them.
The best way for a law enforcement agency to stop this sort of crime would be to steal some data from a very public organisation, have them pay up and then release the data anyway with the message "Suckers!" then nobody would ever pay again and so there would be market and no thefts
-
Tuesday 21st November 2023 00:47 GMT IGotOut
Re: We've engaged in illegal acts to obtain this data
The best way to stop ransomware, or at least curtail it, would be for as many countries as possible to work together and make it a criminal offence to pay them, fine any companies that do say double the amount they pay), and equally an offence to offer insurance to cover said payments.
If there is no money for them, this form of computer crime at least, would all but dry up.
-
Tuesday 21st November 2023 01:40 GMT Yet Another Anonymous coward
Re: We've engaged in illegal acts to obtain this data
Then companies would simply pay the same amount as consultant fee to a 3rd party cyber security expert to ensure the data was never leaked.
In the same way it's illegal to pay bribes but you can pay consulting fees to the family of the president for their technical expertise
-
-
-
-
-
-
Monday 20th November 2023 14:42 GMT Random person
As part of checking that somebody has a right to work in UK an employer has to "Make and keep copies of the documents and record the date you made the check."
https://www.gov.uk/check-job-applicant-right-to-work
Employers have been required to check people's right to work for a number of years.
-
Monday 20th November 2023 14:48 GMT heyrick
There's an obvious flaw here, then. The document should exist for as long as necessary to verify it is real, then that check should be recorded and the copy deleted.
Otherwise, things like this can happen.
[where I work it's similar rules, but they make a black and white photocopy and store it in a folder in a locked filing cabinet in a locked office, so nothing floating around god knows what cloudy providers]
-
Tuesday 21st November 2023 01:01 GMT IGotOut
'where I work it's similar rules, but they make a black and white photocopy and store it in a folder in a locked filing cabinet in a locked office"
You may want to look into the Windrush scandal and how that happened.
Hint: it involved paperwork in filing cabinets that were taking up to much space.
-
Tuesday 21st November 2023 14:32 GMT RavingDave33
Thank-you Hedrick!
Over the years I have found "El Reg" to be informative and (in the good old days of Dabsy & "Post Pub Grub", etc, i.e. before they were taken over by BoringTech Inc.) entertaining.
As a non-techie, I am baffled as to why the default for any org requiring personal data is not "put it into a separate container and lock it away - even electronically".
Why does the ICO enforce this as a rule? Why do our politicians not make laws explicitly requiring such? Why, because they are all c*rr&pt, so dare not upset the big data vacuumers for fear of losing another directorship?
Next time that anyone dare send me a hypocritical reminder to be careful of my personal data, I will forward it on to HM Gov to remind them that THEY need to be taking care of my personal data.
-
Tuesday 21st November 2023 07:53 GMT NeilPost
But once validated, you don’t have to keep them forever.
JK GDPR is the same as EU GDPR
The UK GDPR sets out seven key principles:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
These principles should lie at the heart of your approach to processing personal data.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/
-
Tuesday 21st November 2023 09:53 GMT Jim Whitaker
They get kept for as long as is necessary. The method of having a "trusted" person in your organisation have sight of the relevant documents and for them then to record "conditions met" is attractive. Attractive, that is, until the relevant law enforcement bodies rock up on your doorstep and start asking difficult questions.
-
Tuesday 21st November 2023 17:53 GMT Lurko
This "we've got to keep records for years and years because the regulations say so" excuse is bollocks in the context of a data breach. If they need copies of people's passports, birth certificates, then either immediately transfer them to archive and delete them from live systems, or take hard copies and file those.
Time and again, big, bungling organisations lose other people's data because they've made it easily accessible when there wasn't a need for access to be easy. How often do HMRC rock up and ask for proof of right to work documents? Once in a flood. If HMRC (or Home Office) have to wait a couple of days for a tape backup to be found and loaded, then that's far better than the organisation losing data that can have a negative impact on the individual for years.
-
-
Tuesday 21st November 2023 09:59 GMT Anonymous Coward
GDPR
You are correct in that you don't have to keep copies of the validated documents/information forever but you do have to keep them for two years after the person left your employment.
All of which has got nothing to do with GDPR which - as you say - are principles and any legal or other valid requirement to keep documents indefinitely does not go against any of those seven principles which in essence boil down to keep data safe, not keeping data you don't need, and not keeping it *longer than you need to*.
-
-
-
-
Wednesday 22nd November 2023 12:14 GMT Rol
How brave of them!
Instead of breaking in to the highly profitable supermarket a few miles away, with it's state of the art burglar system, they instead opted for the local store owned by an elderly couple. The store is a bit run down, but is vital to the local community.
As you would expect, it was a doddle. Practically no risk whatsoever, and while they got away with plenty of stuff, it was in truth, more or less worthless stuff, but a kick in the teeth for the owners sufficient for them to close up shop and retire. The local community were then stuffed, as those without cars could not get to the next nearest shop, which was the massive supermarket that had caused the closure of every retailer in a 20 mile radius.
This hack, on the British library is no different, and no less likely to have been carried out by those who operate on the emotional level of children. I hope they get caught and sent to sit on the naughty step for a very long time.