Former Record employees were impacted by the leak that the TV station suffered in October this year. O Technoblog had access to a letter sent by the broadcaster stating what was exposed in the hacker attack, including identity data, wages and information about dependents. The company had already confirmed that current employees were also affected.
The letter, which follows in full at the end of this report, was sent to a former employee who worked at Record almost ten years ago.
The company informs that “the impact on a legacy base of the Human Resources area was identified”. That is, hackers had access to an old database, and therefore they can see information from people who no longer work at the station.
The Record mentions the following types of data that were exposed:
- registration data for contact and proof of identity;
- health data;
- data relating to the employment relationship, including information on dependents;
- data on union affiliation;
- financial data.
The company does not explain what this financial information would be; but according to columnist Ricardo Feltrin, from UOLthis is a euphemism for “wages”.
Gabriel Vaquer, columnist for TV news🇧🇷 also received this letter from Record; he did work for the network in 2015.
How was the attack on Record
The invasion took place on October 8, 2022. Record was ransomware targeta kind of hijacking that encrypts files and requires payment to unlock systems.
Hackers from the BlackCat/Alphv group claimed responsibility and asked for a ransom of US$5 million, corresponding to approximately R$26 million. The broadcaster had indicated that it would not pay.
At the time of the attack, Record had difficulties while staying in the air. She had to change Speak Brazil by the series Everybody hates Chrisbecause there was no way to edit the newscast – the program used for this task was encrypted.
Some employees were sent home because there wasn’t even an internet connection to work. On October 10th, the Technology and Security team managed to restore most of the systems – probably by backup, because the files were still encrypted.
In early November – almost a month after the invasion – Record finally distributed a press release to current employees warning that their personal data has been exposed.
This notice is similar to the letter received by former employees, but it is not identical: for example, it mentions “Human Resources files” instead of “a legacy database” from HR.
In the letter to former employees seen by the TechnoblogRecord alleges that it is monitoring the deep web, and that it has not detected public exposure of the data “so far”.
Of course, that could change… at any time.
In October, a few days after the invasion, hackers published a series of confidential documentsincluding presenter Ana Hickmann’s passport, a spreadsheet with payments made by advertisers, and a list of money received from the Federal Government.
Hackers operate on an affiliation model
In April 2022, the FBI issued an alert about the BlackCat/Alphv group, which at the time had already infected at least 60 organizations around the world. he operates in the model “ransomware as a service”, or RaaS: this means that the creator of the malicious code recruits “affiliates” to carry out attacks, and charges a commission percentage – from 10% to 20% – if the ransom is paid.
Also according to the FBI, the BlackCat/Alphv group steals the victim’s data before running the ransomware: this includes both files stored locally and in the cloud.
Then, the attackers demand a ransom of several million dollars, to be paid through bitcoin or Monero cryptocurrencies. The FBI says they end up accepting less than what was originally asked.
What if the company doesn’t pay? Well, hackers can leak the data little by little, How was it with Record?or they can go further.
In June, the BlackCat/Alphv group was said to have stolen 112 GB of information from a US hotel. Then, they created a website – which appeared in Google search – so that employees and guests could check if their data was actually leaked:
There are no indications that they have done the same for Record.
How does the hacker attack happen?
Malicious software from the BlackCat/Alphv group works as follows:
- he gains initial access to the victim’s system using a previously leaked login and password;
- hack into user and administrator accounts of Active Directory, Microsoft’s tool for managing users on a network;
- spreads to other computers by configuring malicious Group Policy Objects (GPOs) through Windows Task Scheduler.
BlackCat/Alphv will also disable security features on the victim’s network. It leverages Microsoft tools and targets Windows, but can be adapted to target Linux distributions as well.
Broadcaster could be sued, lawyers say
O Technoblog got in touch with specialists to get a better understanding of the case.
For Danilo Roque, partner in the Data Protection area at FAS Advogados, Record can be sued under the civil and data protection scope. The lawyer recalls that the General Data Protection Law (LGPD) establishes that any controller or operator that causes damage has a duty to indemnify.
“There is even a provision in the LGPD that establishes the possibility of reversing the burden of proof, that is: the data subject who has suffered damage will only need to demonstrate verisimilitude in their allegations, and it is up to the processing agent to prove that this damage did not happened,” he explained.
From the perspective of the partner in the Labor area of the firm, Fernanda Muniz Borges points out that the understanding is similar:
“Depending on what happened with this data leak, whether due to non-compliance with the LGPD itself and direct damage to the employee, there is the possibility of actions by employees against the former employer”, he said. “The claim would potentially be moral damages or material damages, if there is any ascertainable financial loss.”
André Issa, a Labor lawyer at Mandaliti, points out that the broadcaster acted correctly in reporting the leak. But this does not exempt the company itself from responsibility, which has been in charge of employee data since the pre-contractual period.
“Record can be sued by its employees, if it is proven that this data leak caused effective damage to these employees”, he said.
“Record is monitoring the Deep Web”
The letter sent by Record to former employees, and obtained by Technoblogsee below:
Dear [nome do(a) funcionário(a)]🇧🇷
Record adopts ethics and transparency in dealing with its employees as pillars of its operations.
As you may already be aware, in the early hours of 10/08/2022, Record was the victim of a security incident, which culminated in the encryption of machines and servers in the technological environment, impacting part of its activities.
Since the incident was identified, security protocols have been activated and measures to minimize the effects and risks of what happened have been adopted.
Record activated the support of a specialized external consultancy to investigate the causes, extent and consequences of the incident, and the National Data Protection Authority was also notified of the event.
In view of these facts, especially to prevent any risks that the incident may entail, such as the misuse of your data by third parties for fraud, it is hereby to inform you that the impact to a legacy base was identified from the Human Resources area, containing personal data of its ownership, such as: registration data for contact and proof of identity, data related to the employment relationship, including information on dependents, financial data, health data and data on union affiliation.
Among the complementary measures, Record is monitoring the Deep Web and, so far, we have not detected public exposure of its data by the offender.
wanted by Technoblog, Record did not comment until the time of publication. The text may be updated in case of response.