This week's threat report has the typical "learning from experience" issues that are always helpful to be aware of.
It also has a feeling of justice that goes with it, as it reports on a criminal COVID-19 phisher being given a jail sentence of over four years.
Lessons Learned - Leaky AWS S3 Bucket
In terms of "lessons learned"... let this be a reminder to us all to be careful with our large data stores. A team at Website Planet said they located an AWS S3 bucket left unprotected by a recruitment company. That bucket contained loads of personal data, such as CVs with names and addresses (home and email) and phone numbers... all sorts of things that most people don't want just flying around the internet.
The media reports have said that this was down to a misconfigured cloud account, showing us that we're back to the human risk factor here... one small "oops" can mean a huge data loss.
Justice Served for COVID-19 Vaccine Scammer
It's good to be reminded that cyber criminals / phishers do indeed get caught for their wrongdoings and tried for criminal practice.
Unfortunately, though, this does always mean that these criminals have previously harmed others and/or others' data before they are caught and tried.
In this particular case, the criminal has been sentenced to more than four years' jail time for the malicious fraudulent acts committed. The criminal was one who sent fake text messages purporting to be from the NHS, banks, and other commercial organisations to unsuspecting recipients. These poor recipients were conned into entering financial information on bogus websites, based on the gov.uk domain, that could then be used to commit fraud. It was claimed that the information was needed to verify the individuals' identity and their entitlement to the COVID-19 vaccine.
And there we have one of our biggest vulnerabilities that con artists learn to exploit: our human fear of losing something else and so trusting that we must do one thing in order to not lose another. So many of us are afraid of this virus and of missing out on our chances to be vaccinated and start to 'normalise' in our daily lives again, that many people forgot the necessity of vigilantly checking those websites or the claims they were being given about the vaccine or of contacting their GP or the bank themselves to double-check the SMS' source.
We can't blame those who were exploited but we can say that we have been reminded just how important it is to "keep our heads on our shoulders" when we receive any data request that we don't personally expect from any source.
The full NCSC report can be downloaded here as a pdf article.