SB Tech Breach

SB Tech Breach

Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. 

GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

“The Maze ransomware was discovered on May 29th 2019 by Jerome Segura. Maze is a complex piece of malware that uses different techniques to gain entry to systems. It relies on exploits kits, remote desktop connections with weak passwords or via email impersonation. These emails come with a Word attachment that was using macros to run the malware in the system. The mind-blowing thing here is that all of these methods are easy to prevent. I am genuinely surprised businesses get caught by this.”

Peter Bassill – CEO – Hedgehog Cyber Security

On Monday, April 1st, SBTech confirmed it had been the target of an attempted ransomware attack. SBTech went on to state customer data was not taken.

Once again, Maze announced their victims in a public post and on their victim shame site. SBTech was among them. Victims also included Curacao-licensed online sportsbook BetUS, cybersecurity insurance firm Chubb, and the French firm Bouygues Construction.

Amar Singh, CEO at the Cyber Management Alliance, found it hard to believe a gaming company could have such a low level of security.

“Gaming companies are usually ahead of the curve in defending against these types of attack. For Maze to have been successful, they would have needed a foothold inside of SBTech. That means a breach occurred, and if this is the case, client records were accessed. So while SBTechs statement that there was no access to customer data, if it was Maze, then it SBTech was breached.” 

Amar Singh – CEO – Cyber Management Alliance

“Ransomware can be tricky to clean out, and often you end up resorting to a restore from your last known good backup.” Bassill went on to say. “One of the hardest things SBTech are going to face now is the uncertainty. Maze group got in before. Have they closed all the doors and have they eradicated all the malware?”

SBTech is coming to the end of a recovery phase, and restoration of all services is complete. All customer data was securely encrypted, and there has been no data breach.

What can operators do to prevent this happening to then?

The best defence against this particular form of malware and ransomware is good cyber security hygiene — a real multi-layered defence-in-depth approach to securing the business. 

Singh had this advice for businesses: “As in other walks of life, you can only treat a problem by first admitting it exists. Consequently, management needs to begin by accepting that cyber criminals will establish a foothold and that they are likely ‘living’ in your digital networks right now.  What does that mean in real terms? Create and implement a corporate cyber resilience strategy (rather than a cybersecurity strategy) where you focus equally on protection, rapid detection and rapid response. “

“There is no real tangible information on how the attack happened, but we took the time to go through the limited dumps published by Maze and from this we can, assuming the dumps valid which they do appear to be, pull out some findings for people”. Bassill added, having reviewed the published materials.

The User

It all starts with the user, implementing stronger passphrases, and monitoring user account for signs of compromise. Ensuring that the passphrases are changed every 90 days is essential too. The simplest way for a breach to occur like this is to guess a users password. With services like Have I Been Pwned, you can check where your passwords have been published. But attackers use this too in order to identify any password patterns you may use. So, change your password up a bit.

While we are discussing the user, we would be remiss not to mention reminding users not to open files they are not expecting. And not to click on links unless they know where the links can from and go to.

Internal Filing

Segmentation of the internal filing is important. Keep all of your customer data logically, and ideally physically, separate from your business data. This looks to be something SG Tech did really well as there is no player data within the dumps. My keeping good internal filing segmentation, should the worse happen and you be hit with Ransomeware malware, you stand a good chance that not all of your files will be rendered unreadable.


We have long said that two is one and one is none. With backup now, you really need three. One is your local backup and is always cycling, probably on a weekly job. You should also have one that is stored remotely from your systems. This should be pushed to a remote store every time the backup runs, but never overwriting any previous backups. This is your saviour from Ransomware. The third backup should be stored on removable media and kept disconnected. If you suffer a full breach this is the backup that might just save you.

And remember to do test restores of each of the backup locations at least every four months.


With your technology stack, regular patching of all systems, applications and services is imperative. Upgrading servers that are approaching end of life is vital too.

Performing patching around seven days from the release of security updates is essential. After day seven the attackers have typically reversed the security patches and will have started to weaponise their code. By day nine, we usually see attack tools release to take advantage of the security vulnerabilities described in the patches.

  • Recent Articles
Author Details
Founder & CEO at Hedgehog Security

Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.

We would like to keep you informed about our services. Please tick the options below to receive occasional updates via

  • penetration testing steps
    Peter talks to FindMyUkCasino
  • Malware
    SB Tech Breach

    Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

  • Privacy
    Howto VPn

    In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.

  • WhatsApp
    How To Whatsapp Safely

    WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.

  • Morrisons Breach Update

    The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

  • Remote Working Considerations

    With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets

  • Securing Zoom
    How To: Securing Zoom

    In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.

  • Software Security
    Dell EMC iDRAC memory corruption Vulnerability

    A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

  • Hiscox Sues for Failing to Disclose Data Breach

    On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

  • Software Security
    Privilege escalation on Nginx Controller up to 3.1.x Controller API

    A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Scroll to Top