Cyber Security Roundup for April 2021

  

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2021.

How not to disclosure a Hack

UK fashion retailer FatFace angered customers in its handling of a customer data theft hack.  The clothes retailer revealed a data theft which included its customer's full names, home addresses, email addresses, and partial debit\credit card details. The payment card details included the last four digits and the card's security verification code, the latter code is never permitted to be stored after a payment card authorisation under Payment Card Industry Data Security Standard requirements, so it would appear the business was not PCI DSS compliant at the time of their hack, which strongly suggests the business may not doing enough of the expected IT security good practices to prevent being hacked in the first place, a poor IT defence posture which appears to have even been corroborated by their hackers.

FatFace CEO Liz Evans released a statement which said “On 17th January 2021 FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation with the assistance of experienced security professionals who, following a thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorising the data potentially involved in the incident.”

Customers were said to be angered that it took FatFace over two months to notify them of the breach, under the UK Data Protection Act (GDPR), UK businesses are required by law to notify data subjects (customers) within 72 hours of learning their personal data had been compromised.  Customers were said to be even further incensed that emails sent to them by FatFace were titled "Strictly private and confidential", which they considered implied they should help FatFace cover up the breach, and there was no apology by the FatFace CEO to boot.

Computer Weekly said it had learnt that FatFace paid a £1.5m ($2 million US dollar) ransom to the Conti Ransomware gang, disclosing the gang gained access to FatFace network and their IT systems via a phishing email on 10th January 2021. The ransomware attack was said to be executed on 17th January 2021 and over 200Gb of data was exfiltrated.  As part of ransomware negotiation, the original ransom ask for $8m worth of Bitcoin, was said to have included the Conti gang providing the following cybersecurity advice to FatFace:

• IT teams to implement email filtering
• conduct employee phishing tests
• conduct penetration testing
• review Active Directory password policy
• invest in better endpoint detection and response (EDR) technology, apparently recommending Cylance or VMware Carbon Black
• better protect the internal network and isolate critical systems
• implement offline storage and tape-based backup

All very sound advice.

More and More Ransomware Attacks

The Harris Federation, which runs 50 primary and secondary schools, and Birmingham College probably wished they had followed the alleged Conti gang's anti-ransomware security advice after they were taken out by ransomware attacks. 

The ransomware epidemic dominated the 2021 Palo Alto Networks Unit 42 Report, echoing the constant stream of IT media headlines, namely that ransomware gangs continue to evolve their tactics and operations, and are making more and more serious money.  We are within a golden age of ransomware crime, and there are no signs of a rest bite. PA Unit 42 found that the average ransom paid by organisations nearly tripled over the past year, from $115,123 in 2019 to $312,493. High-end ransoms have gone up significantly too. Between 2015 and 2019, the largest-known individual ransom demand was $15 million. In 2020 groups were demanding as much as $30 million to unlock a victim’s files and systems.

A Russian man in the US pleaded guilty to plotting to extort money from the electric car company Tesla, after he was accused of offering an employee £721k ($1m) to place ransomware on Tesla's network. He was quoted as saying that he and his co-conspirators would steal the data and if Tesla refused to pay the ransom the company's secrets would be placed on the internet.

Also, see the blog post - The Ransomware Group Tactics which Maximise their Profitability

Microsoft Exchange Zero-Day, Exploitations Led by Hafnium

At the start of March 2021, Microsoft rushed out patches for a critical zero-day Vulnerability in Exchange Server (2010, 2013, 2016, and 2019). In a series of blog posts, Microsoft said a hacking group operating out of China which it calls Hafnium, was exploiting the vulnerability. 

Further information about the Exchange Server zero-day vulnerability exploitations came to light throughout March, as summarised below. 

• Microsoft Exchange Server breaches more widespread than originally thought data suggests that the breaches may not be limited or targeted at all
• 10 groups now targeting Hafnium Microsoft Exchange vulnerabilities Security company ESET is now tracking 10 different threat groups or otherwise unique clusters of breaches that have used a chain of vulnerabilities Microsoft patched in Exchange Server
• Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities The Ransomware, called DoejoCrypt or DearCry, appears to be the latest threat associated with not patching the Hafnium Exchange Server vulnerabilities
• The Microsoft Exchange hack: Microsoft Probes Whether Leak Played Role in Suspected Chinese Hack - The risks and rewards of sharing bug intel
• Microsoft Exchange exploit a possible factor in $50M ransomware attack on Acer

UK Gov to Ramp up Cyber Offenses and Defences

Prime Minister Boris Johnson announced he was creating a "cyber corridor" in the North of England, to bolster Britain's cyber warfare capabilities against hostile countries and terrorist groups.  A new UK National Cyber Force (NCF) will lay out "a new cyber strategy to create a cyber ecosystem."

The NCF review will "set out the importance of cyber technology" to the UK's way of life "whether it’s defeating our enemies on the battlefield, making the internet a safer place or developing cutting-edge tech to improve people’s lives.“ Basing this task force in the North of England is intended to generate economic growth in the digital and defence industries while drawing in the private sector and academia to work with the government on projects.

Britain's biggest banks, including Barclays, HSBC, and NatWest, and insurance companies, including Aviva and Direct Line, will face new tougher testing of their cyber defences by the Bank of England's Financial Policy Committee (FPC). Industry sources said the FPC will test their ability to withstand a coordinated global series of cyberattacks to form the centrepiece of the Bank of England's stress scenario reporting.

However, one recently introduced UK cybersecurity law, which was meant to boost the resilience of the UK's energy sector by obliging gas and electricity firms to report to hacks, doesn't appear to be very effectively adopted. Network & Information Systems (NIS) Regulations 2018 were introduced into UK law three years ago and has parallels with the DPA\GDPR law which was introduced at the same time. Like the GDPR, NIS requires the UK critical national infrastructure firms (i.e. ISPs, utilities) and energy sector firms (i.e. gas and electricity firms) to quickly report any hacks to their regulating authority, Ofgem. According to Sky News, only one company has ever tried to file a report informing the regulator that it had been hacked, but they were dismissed as the incident did not meet the threshold for being reported.

Recently, the British government confirmed Russian state-sponsored hackers have successfully penetrated the computer networks of the UK's energy grids, without disrupting them, and former defence secretary Gavin Williamson warned that "thousands and thousands and thousands" of people could be killed if an attempt at disruption was made.  Responding to Sky News about NIS compliance, a UK government spokesperson said: "The UK's critical infrastructure is extremely well protected and over the past five years we have invested £1.9bn in the National Cyber Security Strategy to ensure our systems remain secure and reliable." UK Gov then added that a formal review of the impact of NIS will take place within the next 12 months.

Stay safe and secure.

BLOG

• Reducing Human Error Security Threats with Remote Workforce
• Cybercrime to cost over $10 Trillion by 2025
• The Ransomware Group Tactics which Maximise their Profitability
• HR Strategies to Drive Cybersecurity Culture in the New Normal
• Reasons Why the Security Industry is Protecting the Wrong Thing
• Cyber Security Roundup for March 2021

NEWS

• FatFace Faces Customer Anger After Controversial Breach Response
• Covid Fraud: £34.5m Stolen in Pandemic Scams
• Boris Johnson to set up Taskforce in North of England to bolster UK’s Cyber Capacity
• UK School Cyber-Attack affects 40,000 Pupils’ Email
• Birmingham College falls victim to 'Major Ransomware Attack'
• Banks and Insurers to Face Tough Cyber Stress Tests under Bank of England Plan
• UK Cyber Security Law forcing Energy Companies to Report Hacks not Followed
• Russian Pleads Guilty to Tesla Ransomware Plot
• Australia Cyber Attacks hit Television Channel and Parliament
• FBI Internet Crime Report 2020: Cybercrime Skyrocketed, with Email Compromise Accounting for 43% of Losses
• 2021 Palo Alto Networks Unit 42 Ransomware Threat Report: 2020 was a Golden Year for Ransomware Gangs
• 2020 Vulnerability Intelligence Report:  Threat Actors bypassing Shoddy Patching, Targeting Gateways

VULNERABILITIES AND SECURITY UPDATES

• Critical Zero-Day Vulnerability in Microsoft Exchange Server (On-Prem)
• Microsoft Patches 88 Vulnerabilities, 14 Rated as Critical
• Microsoft Antivirus Now Automatically Mitigates Exchange Server Vulnerability
• Google Fixes Five Chrome bugs, including One Zero-Day Exploited in the Wild
• Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux, Patched
• For the 2nd Time in less than a Year, F5 Announces Critical Vulnerabilities in its Networking Devices
• New, Critical Vulnerability discovered that could let Attackers gain entry to SolarWinds systems

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• CopperStealer Malware infected up to 5,000 hosts per day over the First Three Months of 2021
• UK 'must be clear-eyed about Chinese ambition', warns new National Cyber Security Centre Chief

Cyber Security Roundup for August 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 

Scam Tweet

The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me. 

While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 

• BT says 'impossible' to remove all Huawei kit in under 10 years
• The UK faces mobile blackouts if Huawei 5G ban imposed by 2023
• Huawei ban 'would depress GDP and spark inflation', think tank warns
• Huawei: The company and the security risks explained
• Huawei U-turn: Cyberattacks, levies and other possible repercussions of the UK's 5G move

In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

BLOG

• Twitter Hack & Scam
• Returning to the Workplace and the Ongoing Threat of Phishing Attacks
• iPhone Hacks: What You Need to Know About Mobile Security
• Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats
• How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal'
• Cyber Security Roundup for July 2020

NEWS

• 45 High Profile Twitter Accounts Hacked and Used to Scam Followers
• Blackbaud Hack: Universities Lose Data to Ransomware Attack
• Russian Hacking Group (APT 29) is Targeting Coronavirus Research Theft
• Huawei 5G kit must be removed from the UK by 2027
• Hacker Ransoms 23k MongoDB Databases and Threatens to contact GDPR Authorities
• Hackers try to Steal £1m Transfer Fee during Football Club Cyber Attack
• Dave ShinyHunters Hack Exposes 7.5 Million User Records
• Smartwatch Maker Garmin took Offline by Cyber Attack
• Open S3 Bucket Exposes One Million Files of Fitness Brand V Shred
• SEI Investments Customer Data Exposed in Ransomware Attack on Vendor

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Patches 123 Vulnerabilities
• Microsoft Critical Warning to Fix Wormable Bug “SIGRed”
• Adobe Patch Tuesday: Adobe eliminates Four Critical Bugs
• Adobe Fixes 12 Critical Bugs in Second Round of July Patches
• Adobe mends Critical Code Execution Flaws in Magento
• Cisco Patches Severe Traversal Vulnerability Exploited in the Wild
• ‘Boothole’ Threatens Billions of Linux, Windows Devices
• Survey of 127 Routers’ Vulnerabilities: Remote Workers Warned over Security Flaws

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Dacls RAT’s Goals are to Steal Customer Data and Spread Ransomware
• GoldenSpy: Chinese Tax Software found to Dish Out Backdoor Malware
• Report: The Cost of Ransomware in 2020. A Country-by-Country Analysis

The Billion Pound Manchester City Hack

The sport of football is a multi-billion-pound global industry, where the world's top-drawer football clubs push competitive advantages to the extreme, not just for the prestige of winning trophies, as success on the pitch also means a greater slice of jaw-dropping TV, sponsorship and advertising revenues. 

The key commodity in the football industry are football players, elite talent players command transfer fees up to 100 times their weight in gold and receive millions a year in wages.  Investing in recruiting the best football players increases the likelihood of winning matches, titles and lucrative financial rewards. The competition for success is especially fierce between Europe's largest football clubs. This is leading to ever-inflating player transfer fees and wages, rippling downwards throughout football's global pyramid of leagues, with many clubs gambling with financial outlays on recruiting player talent, in hope of achieving the financial rewards which success on the football pitch brings.

Top Ten Football Club Revenues in 2018-19 (change from 2017-18)
1 Barcelona                 £741.1m (+£129.5m)
2 Real Madrid             £667.5m (+£2m)
3 Manchester United £627.1m (+£37.3m)
4 Bayern Munich £581.8m (+£24.4m)
5 Paris St-Germain £560.5m (+£80.6m)
6 Manchester City £538.2m (+£34.7m)
7 Liverpool                 £533m    (+£77.9m)
8 Tottenham               £459.3m (+£79.9m)
9 Chelsea                  £452.2m (-£4.2m)
10 Juventus                £405.2m (-£55.7m)
Source: Deloitte Football Money League

The Deloitte Football Money League illustrates the scale and growth in revenues at Europe's top tier clubs. Most of this revenue is acquired through participation in the UEFA Champions League (up to £150m), club sponsorship deals, and national league TV deals, especially the English Premier League, where clubs finishing in the top six positions are given around £150m a year. The number of bums on seats at stadia doesn't have the financial impact on a club's revenue stream as it once did. Success on the pitch is the greatest driver of a club's revenue, the new model of sustained success in football is recruiting and retaining the best squad of football players.

Such high stakes and large financial numbers are a recipe for pushing and bending football's rules, Real Madrid, Barcelona, Atletico Madrid, Liverpool, Chelsea and Manchester City have all been disciplined for breaking youth player recruitment rules. Football's rules are written and enforced by football’s various governing bodies, starting with country-level governance such as the English Premier League and The English Football Association (The FA), continental level governance such as Union of European Football Associations (UEFA) and finally the global football authority which is Fédération Internationale de Football Association (FIFA).

The Million Manchester City Pound Hack
As football players are the key elements of achieving success, most top tier clubs invest heavily to build intelligence on the best players to recruit. Clubs operate scouting networks on a global scale, utilising applications to gather and record statistical player data, and employ expert analysts to crunch those stats. All to determine which players they should target to improve their squad, when they should attempt to buy, and how much they should spend to achieve a maximum return on their investment.

Manchester City have a rocky relationship with UEFA

The top two rivals competing for success in the English Premier League in recent years have been Manchester City and Liverpool football clubs, with both clubs winning several major titles. At the end of 2011/12 season, it was a different story, Manchester City had won the Premier League title while Liverpool finished in 8th position, outside of lucrative Champions League qualification and 47 points behind City.  At the end of this season, Liverpool 'poached' two of Manchester City's scouting and recruitment leads, Dave Fallows and Barry Hunter, as their head of scouting and chief scout respectively.  14 months after these appointments were made, Liverpool paid Manchester City £1 million as part of a confidential settlement after it was alleged City’s cloud-based scouting application, Opta's Scout7, had been accessed by Liverpool FC staff on hundreds of occasions.  Whether this breach was 'assisted' by Manchester City not removing ex-employee access to their Scout7 app, or involved the hacking of City's accounts remains undisclosed.

Player Scouting App Scout7

The Premier League were not informed about this incident and the settlement until September 2019, when they launched an investigation, but confirmed on 7th February 2020 it would not be bringing any charges.  An FA spokesperson said: “The FA carefully considered the evidence received in this matter, including information provided by both clubs involved, and has decided not to progress the investigation. This is due to a number of factors including the age of the alleged concerns and the settlement agreed by the two clubs involved.  As per standard protocol, should the FA receive further information or evidence, the decision not to progress the investigation may be reviewed.” 

Since the hack there has been a major resurgence with Liverpool's success on the pitch, under their current manager Liverpool have spent £400 million on recruiting new players, creating arguably one of the strongest squads they have ever had. A squad which won the Champions League last season, while this season Liverpool stands to win the Premier League title for the first time in their history by some distance. The role of this alleged City hack in Liverpool's recent rise to the top can never be understood, a coincidence or not, most football pundits agree Liverpool's player recruitment in recent years has been first class.

As of 25th May 2018 such hacked data breaches are required to be disclosed to the UK's Information Commissioner's Office (ICO), and could theoretically cost Manchester City and perhaps Liverpool millions in fines under the recently updated UK Data Protection Act, which incorporates the European General Data Protection Regulation (GDPR). Given the Scout7 app holds the personal data of European players, and  GDPR fines can be up to 4% of global turnover, this means a potential ICO fine of up £20 million. And accessing or hacking into systems without permission is a criminal offence under the UK Computer Misuse Act.

The Billion Pound Manchester City Hack
On 14th February, UEFA's Chamber of the Club Financial Control Body (CFCB) announced its decision to ban Manchester City from competing in European competition for two years, and a £25 million fine for breaching UEFA’s Financial Fair Play (FFP) rules.  

UEFA’s Financial Fair Play (FFP) rules

The revenue from missing two Champions League campaigns could cost the Manchester club around £300 million in total. The Premier League and the English FA are also investigating City on the back of the UEFA investigation, so could follow suit with their own FFP sanctions, with media speculating such investigations could result in City's relegation to England's bottom tier of professional football. Dropping to League Two could potentially cost the club around £1 billion in lost TV revenues alone.  However, Man.City quickly announced they will be challenging UEFA’s findings and disciplinary action through the Court of Arbitration for Sport (CAS), so it remains to be seen if those UEFA disciplinary sanctions will stand. City’s FFP woes all started with a hack of their email system, a hack which could ultimately cost the club over billion pounds.

Is Football 'Wikileaks' Ethical?
UEFA's investigation into City started with the club's hacked internal emails being disclosed to the media, by a hacker through a 'football leaks' website. On 5th November 2018, German magazine ‘Der Spiegel’ (The Mirror) published an article which claimed City and their sponsors had manipulated sponsorship contracts to circumvent UEFA FFP rules, inflating the value of their commercial income. The Spiegel article supported claims of FFP ‘wrongdoing’ by quoting extracts from senior Manchester City club officials stolen internal emails.

Portuguese resident Rui Pinto is alleged to be the hacker who successfully hacked into City's internal email system in 2015. Pinto was arrested and remains in prison awaiting trial on 90 different counts of hacking, sabotage and fraud. Pinto reportedly took 70 million documents and 3.4 terabytes of information from a string of football clubs and high profile players, releasing the data via the 'football leaks' website (https://footballleaks2015.wordpress.com/).  

Pinto told Der Spiegel he was aware of the risks of his work and is quoted as saying “I initiated a spontaneous movement of revelations about the football industry”.  So depending on your viewpoint, and likely your football club loyalty, this 'Wikileaks for football' is either ethical on transparency grounds, or it should not be condoned given the information was obtained by illegal means.  Just like the actual Wikileaks, individual views will be polarised on the ethics of leaking private and confidential information into the public domain. Although given the tribal and competitive nature of most football fans, aside from Manchester City fans, most football fans are likely to agree the illegal method was justified.  

Rui Pinto, Criminal Hacker or Whistleblower?

It seems UEFA also agree with the illegal method used, as on the back of the Der Spiegel article and hacked emails, UEFA began its investigation into Manchester City on March 2019, stating “The investigation will focus on several alleged violations of FFP that were recently made public in various media outlets."  

The 'Ethical' Legal Battle Ahead
When police authorities and prosecutors do not collect evidence using legal means in criminal trials, such evidence becomes inadmissible in court. Digital evidence not forensically acquired can also be challenged and dismissed. Hacked emails as text files can be easily doctored. For instance, in 2018 said key documents supporting rape claims against Cristiano Ronaldo, as obtained through the Football Leaks website, were subsequently dismissed by Ronaldo's lawyers as having been fabricated by hackers.

If all the other top tier football clubs had all their internal emails disclosed to the media and UEFA investigators, how many other clubs would be found to have bent or broken FFP rules as well?  There are many football fans deeply suspicious about the finances and commercial sponsorship deals at many of Europe’s elite football clubs.

The City email hack will have significant ramifications on the football industry, the power of UEFA and its enforcement of FFP will be tested. With millions at stake, Manchester City’s lawyers and UEFA will be fighting it out in the courts in the coming months, the ethics of using data leaks as evidence will be one of the key arguments

Let Him Who Is Without Sin Cast the First Stone
UEFA doesn’t exactly have a good track record on ethics either, former UEFA Chief Michel Platini was banned from all football activity for 8 years by FIFA’s Ethics Committee in 2015. In June 2019 Platini was questioned by Police in regards to his backing of Qatar's bid to host the 2020 World Cup, despite allegedly telling American officials he would be voting for the United States. Then there is the ethics of UEFA fining football clubs multi-millions for breaching FFP, while at the same time fining clubs in the low thousands for breaches of its racism rules.