Hacked on Christmas - DEphoto cyber attack

On Christmas Day, UK school, sport and event photography business DEphoto was hit by a major cyberattack. Threat actors claimed to have exfiltrated the personal information of over 550,000 customers, including over 16,000 records containing plain text credit and debit card numbers, expiry dates, and CVV codes.

In addition, they claim to have exfiltrated customer photos including those of personal events, families and children. The threat actor claiming responsibility - 0mid16B - has posted screenshots appearing to support its data exfiltration claims.??

Following the initial incident, the threat actors claimed to have notified DEphotos of the attack and demanded a ransom to prevent publication of the data. DEphotos appear to have not paid the ransom and instead restored the impacted services, but without implementing any further security controls to protect the service. Subsequently the threat actors hacked DEphotos again on December 29th, using credentials stolen in the initial breach.

While no public statement has been made concerning the data breach, reviews on the company’s Trustpilot page indicate that impacted customers are being contacted. The data breach has been recognised in replies to customer reviews, further stating that all of the credit card information is from over 10 years ago, and payment information is no longer stored on DEPhoto servers.?

This statement, alongside customers from over 10 years ago being informed their data was impacted, suggests that long data retention periods may have led to a higher impact from the breach. DEphoto stated in a Trustpilot review response that its existing policy of indefinite data retention is being reviewed and considering moving towards a shorter retention period.??

This incident highlights the recurring theme of major cyberattacks occurring on weekends, holidays, or out of business hours. While many organisations are able to effectively monitor for and respond to cyber incidents during business hours, it can be challenging to extend that capability to 24/7. This is often exploited by threat actors aiming to take advantage of a delayed response.?

What Can Organisations Learn?

• Consider building an internal, or procuring an external, security operations centre (SOC) capability, to ensure that logs are analysed 24/7 by skilled security analysts able to identify malicious activity, and immediately carry out remediation actions.?

• Identity critical data and apply appropriate encryption methods such as server, database, and file level encryption to reduce the risk of a threat actor stealing and having access to ‘clear text’ data.??

• Assess the maturity of cyber incident response and business continuity capabilities, ensuring regular exercising and testing of predefined plans. These plans should ensure that the root cause of the incident is identified and remediated prior to bringing services back online to prevent repeat attacks.?

• Ensure data retention policies only require data to be stored for the minimal period of time, and that these are backed-up by technical controls to ensure data is deleted in accordance with such policies.??

Written by Alex McIntosh , Waterstons

Each month, our cyber security team gathers information on the latest threat news, updates and insights to share with our clients for awareness.?This also includes advice and actions that can be taken to protect businesses and teams from threats, as well as what to do in the event of a breach.

You can sign up here.