Skip links

Street newspaper appears to have Big Issue with Qilin ransomware gang

The parent company of The Big Issue, a street newspaper and social enterprise for homeless people, is wrestling with a cybersecurity incident claimed by the Qilin ransomware gang.

In a post made to the gang’s leak site, the miscreants claim to have stolen 550 GB of company data and, according to what they’ve released already, the haul appears vast and damaging.

In a 12-photo leak, it looks as though the driving license and salary information for Paul Cheal, CEO at Big Issue Group, The Big Issue’s parent company, may have been exposed.

Danyal Sattar, CEO of Big Issue Invest, the Group’s social impact investment arm, also appears to have had his passport and bank details leaked.

Sattar’s passport is just one of many that are seemingly in the hands of Qilin’s affiliates, which posted a screenshot of a file explorer page filled with what it claims to be employee passport scans.

Other images show swathes of employee data, including full names, work emails, and home addresses included in Excel spreadsheets.

Subscriber data also appears to be at risk, displayed in a similar spreadsheet format. If these leaks are genuine, subscribers have also had their personal email addresses and bank details leaked, including account numbers, names, and sort codes.

Financials were also posted online, which the company does not publicly share.

The Big Issue is a publication that serves to offer homeless people, those at risk of homelessness, or those experiencing poverty a lifeline by giving them a chance to earn money and reintegrate into society.

In 2022, it was working with 3,637 vendors – 899 of which were working for the company for the first time.

Started in 1991, The Big Issue is published across four continents and is one of the UK’s leading social enterprises. An attack on the group will be viewed by many as no different from one on a hospital or charity, and these are generally seen as morally abhorrent, even for cybercriminals.

Cheal said in a statement: “Last week, the Big Issue Group experienced a cyber incident. On becoming aware of this, we took immediate steps to restrict access to our systems, working with external IT security experts, and the investigation into the incident is ongoing. Thanks to the proactive steps taken, we have been able to begin restoring our systems and are operating with limited disruption. The publication and distribution of the Big Issue magazine is not impacted by this incident.

“As part of our investigation, we’ve identified that certain data related to our organisation has been posted to the dark web by the perpetrators of this incident. We’re working with our external IT expert to complete our investigation as a matter of priority alongside the NCSC, the National Crime Agency, and the Metropolitan Police. In addition, we have notified relevant regulators and would like to thank our staff, partners, and suppliers for their patience whilst our investigation continues.

“This is a criminal act against our social activities and the causes we work to promote. We exist to support those living at the sharp end of poverty, who are facing barriers to opportunity. Critically our staff are continuing to support our vendors to earn a living by selling the Big Issue magazine, whilst also providing frontline support for vendors with access to advice and services, alongside making social impact lending available to social enterprises and other organizations we work with. Ensuring we continue to deliver against our mission to change lives through enterprise.”

The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, said it has been notified.

“People have the right to expect that organizations will handle their personal information securely and responsibly,” an ICO spokesperson told The Register

“If an individual has concerns about how their data has been handled, they should raise it with the organization first, then report them to us if they are not satisfied with the response.

“The Big Issue has made us aware of an incident and we are assessing the information provided.”

According to security expert Kevin Beaumont, the company has been dealing with the incident, which it hasn’t yet linked to ransomware, “for about a week.”

“Pretty messed up target as homeless people sell the magazine, which makes next to no money in profit,” he said.

The Qilin ransomware-as-a-service (RaaS) gang, sometimes tracked by its founding name Agenda, claims it’s behind the attack. Its payload is written in Russian using Rust and Go, and the criminals behind it are also thought to be Russian.

Qilin is the name of a creature in Chinese mythology. However, it wouldn’t be the first time a ransomware group has used a moniker that attempts to confuse onlookers about their country of origin. Akira, for example, is a name of Japanese origin, but it too is also thought to be staffed by Russians.

In ransomware scenarios, when a victim is posted to a leak blog, it’s usually done to hurry up the negotiation process. Making the incident public for the first time could also be a way to pile on the regulatory pressure on the group, potentially forcing it to resolve the matter more quickly.

Ultimately, the criminals behind the attack want to be paid a ransom as quickly as possible and through whatever means necessary. According to research into the gang, affiliates can expect between 80 and 85 percent of the total ransom sum. ®