Cyberattack exposed criminal records, financial data for UK legal aid applicants

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The personal data of hundreds of thousands of legal aid applicants in England and Wales dating back to 2010, including criminal records and financial details, has been accessed and downloaded in a “significant” cyberattack.

Officials admit that the data may have included applicants' contact details and addresses, dates of birth, national ID numbers, criminal history, employment status, and financial data such as contribution amounts, debts, and payments.

Hackers have claimed that they accessed 2.1 million pieces of data, which has so far been unverified. The authorities do not believe that the hack is the work of a state actor but appears to be the work of a criminal gang.

A Ministry of Justice source blamed the breach on the previous government's “neglect and mismanagement,” saying vulnerabilities in the Legal Aid Agency’s (LAA) systems have been known for many years.

“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government.

“They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act,” the source said.

The MoJ said officials became aware of a cyber-attack on the LAA’s online digital services on 23 April but believed it had accessed data from legal aid providers such as solicitors’ firms, not from applicants. It is understood that officials discovered on Friday that it was much wider and involved applicants.

The LAA’s online digital services, which are used by legal aid providers to log their work and get paid by the government, have been taken offline. For the next few weeks, legal aid providers will be given phone numbers or email addresses to contact as they seek payment.

Officials are attempting to build an upgraded system over the next few weeks to replace the hacked one. (Rajeev Syal / The Guardian)

Related: GOV.uk, Infosecurity Magazine, BBC News, Reuters, Tech Radar, Financial Times, Cybernews, Daily Mail, Legal Cheek, National Technology News, Sky News, Rappler, City AM, Enterprise Times, The Standard

The Japanese parliament passed a bill to allow the government to take proactive steps to prevent serious cyberattacks, with majority support in the Upper House from both the ruling bloc and the major opposition Constitutional Democratic Party of Japan.

The legislation calls for the respect of the secrecy of communications, a provision added after deliberations at the Lower House. The government plans to put the new law into full effect in 2027.

The government's 2022 National Security Strategy stipulates the introduction of active cyberdefense. The goal is for Japan to acquire the ability to defend against cyberattacks equivalent to or better than that of major Western countries.

Under the new law, the government will acquire and analyze communications between foreign countries via Japan and between Japan and other countries during peacetime. If there is a sign of a cyberattack, police and the Self-Defense Forces will take steps to neutralize threats.

The government will establish joint bases for the police and the SDF. The law calls for promoting public-private cooperation, such as the sharing of sensitive information, to improve the cyber defense capabilities of infrastructure operators.

Businesses will be required to report to the government on the introduction of communication devices and cyberattacks.

To minimize restrictions linked to the secrecy of communications, which the Constitution guarantees, mechanical information, such as internet protocol addresses and attack commands, will be sorted out and analyzed. Essential communication contents, such as email texts, will be excluded from examination.

An independent organization will be established as an external bureau of the Cabinet Office to oversee the law's enforcement. (The Japan Times)

Related: The Record, Kyodo News, Nippon.com

According to a source, Sequoia Capital Managing Partner Roelof Botha was among the Coinbase customers whose personal information was stolen in a hack against the largest US crypto exchange.

The source said personal information about Botha, including his phone number, address, and other details associated with his Coinbase account, was stolen.

That the attackers gathered information about Botha, which has not been previously reported, hints at the type of wealthy and powerful targets that the outsiders were looking to compromise. Botha is a member of the so-called PayPal Mafia, an influential group of former PayPal employees that includes Peter Thiel and Elon Musk.

He joined Sequoia, one of the world’s foremost venture firms, in 2003, placing early bets on companies like YouTube and Instagram. He became the firm’s leader, taking the title of senior steward, in 2022. (Margi Murphy / Bloomberg)

Related: Cointelegraph

Sources say Binance and Kraken are among the major crypto exchanges targeted by the same type of social-engineering hack recently disclosed by Coinbase, with both exchanges able to ward off the attack successfully.

In the Coinbase incident,  hackers bribed customer agents to steal client data and demanded a $20 million ransom to delete it. The bribed reps got access to names, dates of birth, addresses, nationalities, government-issued ID numbers, some banking information, as well as details about when customer accounts were created and their balances.

Binance uses artificial-intelligence bots to spot offers of potential bribes in different languages and to stop the conversations. Many exchanges also only allow representatives to access customer information when customers initiate calls. (Olga Kharif and Teresa Xie / Bloomberg)

Related: CoinDesk, Crypto News Australia, GuruFocus, PYMNTS, The Shib, The Block, The Crypto Times, DL News

US District Court Judge Amy Berman Jackson sentenced Eric Council Jr. to 14 months in prison and ordered the forfeiture of $50,000 for executing a SIM-swap attack to allow access to the Securities and Exchange Commission (SEC) account on the social media platform X.

After completing the prison sentence, Council will have “three years of supervised release with the condition that he not use computers to access the dark web or commit further identity fraud,” the US Attorney’s Office for the District of Columbia said. (Joe Warminsky / The Record)

Related: Justice Department, CNBC, WAFF, BeInCrypto, Cointelegraph, The Cyber Express

Republican Rep. Don Bacon of Nebraska said the US government halted cyber operations against Russia for one day in February as President Trump was trying to negotiate an end to the Russia-Ukraine war, confirming earlier reporting at the time and undercutting statements of denial from the Defense Department.

"I actually dug into this whole matter. I just want to address it: It was a one-day pause, which is typical for negotiations," said Bacon, chair of the House Armed Services cyber subcommittee, during a hearing. "That's just about as much as I can say. It was a one-day pause."

In March, multiple US officials said that Defense Secretary Pete Hegseth had issued a directive to US Cyber Command to pause cyber operations against Russia, including those that were the most provocative. At the time, the duration of the pause was unknown.

In response to reports about the pause, the Pentagon's rapid response team posted on March 4 on X that Hegseth "has neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority."

Two sources familiar with Hegseth's order said the pause directive lacked specificity. It's not clear how the order about planning was interpreted. Multiple officials also told CBS News in March that strategizing for future operations was never paused and that U.S. cyber policy on Russia "is very much intact" and remains at the same level, one of the officials said. (James LaPorta / CBS News)

Related: Politico, The Record, House Armed Services Committee

Karsten Hahn, a researcher at cybersecurity vendor G Data, reported that drivers for China-based Procolored are full of malware.

Hahn began investigating after YouTuber Cameron Coward at Serial Hobbyism received a printer from Procolored, a provider of direct-to-film printers. The printer can be used to create custom T-shirts. While testing the printer for a review, the built-in antivirus Windows Defender and Google's Chrome browser alerted him of malware threats on his PC.

His computer had been hit with Floxif, a powerful malware that can change Windows executables and install other malicious code. It can also spread itself through connected USB drives. Coward’s PC received the malware alert after installing software from a ZIP folder on the “USB thumb drive Procolored supplied with the printer.”

Although Procolored, a Shenzhen-based company, claimed the malware alerts were false positives, Coward posted a call on Reddit for a third-party security researcher to double-check. Hahn at G Data began investigating and traced the threat to the printer driver files hosted on Procolored's website.

Procolored continues to host the printer driver files for six products on a third-party Mega.nz file-sharing account. Hahn’s antivirus scan found that 39 of the files triggered two malware detections: one for a cryptocurrency wallet stealer and the other for a backdoor for Windows PCs dubbed XRed. (Michael Kan / PC Mag)

Related: G Data Cyber Defense, Neowin, r/computerviruses

Two days after a photo was published of Trump's national security advisor, Michael Waltz, using an unauthorized and insecure fork of the Signal messaging app called TeleMessage Signal, an anonymous source said they had hacked it in less than 20 minutes.

Telemessage has now temporarily suspended all services.

The exploit that the hacker used was incredibly simple. “I first looked at the admin panel secure.telemessage.com and noticed that they were hashing passwords to MD5 on the client side, something that negates the security benefits of hashing passwords, as the hash effectively becomes the password,” the hacker said. MD5 is an inadequate algorithm.

Drop Site News has since reported that it appears that this admin panel exposed email addresses, passwords, usernames, and phone numbers to the public.

The weak password hashing and the fact that the TeleMessage site was programmed with JSP—an early 2000s-era technology for creating web apps in Java—gave the hacker “the impression that their security must be poor.” Hoping to find vulnerable JSP files, the hacker then used feroxbuster, a tool that can quickly find publicly available resources on a website, on secure.telemessage.com.

The hacker also used feroxbuster on archive.telemessage.com, another domain used by TeleMessage, which is where they discovered the vulnerable URL, which ended in /heapdump.

When they loaded this URL, the server responded with a Java heap dump, which is a roughly 150-MB file containing a snapshot of the server’s memory at the moment the URL was loaded. (Micah Lee / Wired)

Related: r/technology

Luxury assets worth more than $4.5 million have been forfeited after being linked to Shane Stephen Duffy, previously convicted of hacking Riot Games, a US-based gaming company behind the hit video game League of Legends.

The CACT investigation began in 2018 after AUSTRAC was tipped off by authorities in Luxembourg about suspicious Bitcoin transactions.

Investigators suspect Duffy stole 950 Bitcoin from a French cryptocurrency exchange in 2013, now worth about $150 million.

While no criminal charges were laid in relation to the alleged theft, the CACT was able to restrain the suspected proceeds of crime under federal laws, even without a related prosecution.

Authorities secured restraining orders over the assets in 2019, and they were officially forfeited in April. (Demi Huang / 7News)

Related: Cyber Daily, 7News

Korea's Ministry of Science and ICT said that a joint team of public and private investigators found that nearly 27 million units of international mobile subscriber identity, or IMSI, have been leaked from SK Telecom’s data breach.

“The investigators confirmed that the amount of leaked (universal subscriber identity module, or USIM) information was 9.82 (gigabytes), which equals about 26.69 million units of the IMSI,” said Choi Woo-hyuk, director general of the Cyber Security & Network Policy Bureau at the Science Ministry.

IMSI, which can be regarded as a mobile fingerprint, is a 15-digit or shorter number used to identify and authenticate each mobile subscriber on a cellular network.

SK Telecom’s 25 million subscribers are smaller than the number of leaked IMSIs, but the officials explained that the number of IMSIs combines all universal subscriber identity modules, or USIMs, loaded onto smartphones, smartwatches, and other connected devices using the Internet.

The authorities announced that they found 25 types of malware and 23 hacked servers, up 21 and 18, respectively, from the previous discoveries released by the joint investigation on April 29. Having completed the investigation of 15 servers through detailed assessments, such as forensic and log analysis, the authorities plan to finish the investigation of the remaining eight servers by the end of May. (Kan Hyeong-woo / The Korea Herald)

Related: The Chosun, KoreaJoongAngDaily

Hackers targeted Australian taxpayers’ myGov accounts to claim fraudulent tax returns, filing falsified tax returns, and then directing the funds to their personal bank accounts.

The ATO said it has taken steps to cease the fraudulent practice and the unusual activity is linked to identity theft. (Sky News)

Related: The Australian

DC-based think tank Foundation for Defense of Democracies reported that recently laid-off officials from the US federal government are being targeted by Chinese intelligence through a network of front companies purporting to offer consulting work.

A group of five putative consulting and headhunting firms based in the United States, Singapore, and Japan can be linked by their common use between December and March 14 of a single IP address tied to a server owned by the Chinese firm Tencent. The IP address "hosts only domains associated with the five firms in the network, suggesting it is a dedicated hosting environment."

The websites of four companies, Dustrategy, RiverMerge Strategies, Tsubasa Insight, and Wavemax Innov, additionally shared a single SSL certificate and the same Chinese email service provider, cengmail.cn. The email provider isn't widely used, even in China. Two of the front companies switched email providers during the second half of 2024, "perhaps to mask their connections to China." (Akshaya Asokan / Data Breach Today)

Related: Foundation for the Defense of Democracies

According to a source, hackers believed to be part of the Scattered Spider collective went undetected in Marks and Spencer's systems for up to 52 hours before the alarm was raised, in what insiders are describing as a "colossal mistake."

The hackers penetrated the retailer’s IT systems through a contractor.

“What went wrong was human error. Human error is a polite word for somebody making a colossal mistake,” a source said.

The hackers were able to work undetected in the systems for around 52 hours before the alarm was raised, insiders said, before emergency response teams defended M&S over a five-day “attack phase."

Since then, the company has been investigating and rebuilding. It is understood that M&S’s stock availability will be back to normal next week, but its website could take weeks to go back online. (Tom Witherow and Isabella Fish / The Times)

Related: Daily Mail

BBC reporter Joe Tidy was contacted by the hackers who call themselves DragonForce and are likely part of the loose cybercriminal collective Scattered Spider that breached UK grocery retailer The Co-Op.

They were frustrated that Co-op wasn't giving in to their ransom demands, but wouldn't say how much money in Bitcoin they were demanding of the retailer in exchange for the promise that they wouldn't sell or give away the stolen data.

After a conversation with the BBC's Editorial Policy team, they decided that it was in the public interest to report that they had provided us with evidence proving they were responsible for the hack.

He quickly contacted the press team at the Co-op for comment, and within minutes, the firm, which had initially downplayed the hack, admitted to employees, customers, and the stock market about the significant data breach. (Joe Tidy / BBC News)

Jon DiMaggio, a former NSA analyst who now works as a chief security strategist at Analyst1, listened to a call from a member of the Scattered Spider criminal collective pretending to be an employee when contacting the help desk of a large US retailer in an attempt to infiltrate American retail organizations after hitting multiple UK-based shops. 

DiMaggio said, "The caller had all of their information: employee ID numbers, when they started working there, where they worked and resided," DiMaggio said. "They were calling from a number that was in the right demographic, they were well-spoken in English, they looked and felt real. They knew a lot about the company, so it's very difficult to flag these things. When these guys do it, they're good at what they do."

Luckily, the target was a big company with a big security budget, and it employs several former government and law enforcement infosec officials, including criminal-behavior experts, on its team. (Jessica Lyons / The Register)

Related: Databreaches.net

The New South Wales education department was surprised when Microsoft began collecting the voice and facial biometric data of school students using the Teams video conferencing app in March.

Late last year, Microsoft announced it would enable data collection by default, commencing in March, for a Teams feature known as voice and face enrolment.

Voice and face enrolment in Teams creates a voice and face “profile” for each participant in Teams meetings, which the company said improves the audio quality, reduces background noise, and enables the software to tell who is speaking in meetings by recognising their voice and face.

The data is also fed into Microsoft’s large language model, CoPilot, to improve accuracy in transcription or summaries when enabled in those meetings.

“A new Microsoft Teams feature that allowed voice and facial enrolment for people entering Teams meetings was quickly disabled across our network, and any face or voice recognition profiles that were created have been removed,” a spokesperson for the education department said.

The feature was switched off in April, and the profiles were deleted within 24 hours of the department becoming aware that voice and facial enrolment was enabled. (Josh Taylor / The Guardian)

Related: 9News, News.com

Data security firm Cyera has raised $500 million in a new venture funding round.

Lightspeed, Greenoaks, and Georgian led the round, with participation from existing investors Accel, Sequoia Capital, and Sapphire Ventures. (Kate Clark and Katie Roof / Bloomberg)

Related: CTech, Tech in Asia

Best Thing of the Day: Law Enforcement Doesn't Solve Cybercrime Alone

Ciaran Martin, former head of the National Cyber Security Centre, offers some solutions to England's cybercrime problem that has erupted with the attacks on UK retailers.

Bonus Best Thing of the Day: The Vatican's Cyber Swiss Guard

A group of 90 cybersecurity professionals from around the world who call themselves the Vatican CyberVolunteers has been working to fend off digital attacks against the Vatican since 2022.

Worst Thing of the Day: When Your Connected Car App Spills the Beans

Security researchers LoopSec discovered that Volkswagen's connected car app allows brute force attacks and exposes owners' PII, including names, phone numbers, postal addresses, email addresses, and even car payment amounts.

Closing Thought