London celebrity talent agency reports itself to ICO following Rhysida attack claims

A London talent agency has reported itself to the UK's data protection watchdog after the Rhysida ransomware crew last week claimed it had attacked the business, which represents luminaries of stage and screen.

The Agency was established in 1995 and clients include Louis De Bernieres, Sam Mendes, Emma Thompson, and many more across the Film, TV, and Theatre industries.

The Register asked The Agency for comment on the claims but it refused to give a statement. We understand, however, that the Information Commissioner's Office (ICO) has been informed of an incident. 

An ICO spokesperson said: "We have received a report from The Agency and we are making enquiries."

It should be said that self-referring to the ICO doesn't necessarily mean a given organization has suffered data security exposure that may be punishable under data protection law. 

The watchdog's official line is that if an incident is reasonably likely to impact data subjects' rights and freedoms, then a report may be necessary, although not every breach is so severe it must be reported.

The same group that hit the British Library with ransomware in 2023, Rhysida, claims it is now holding The Agency's data to ransom. Its data leak site suggests it is willing to sell the data for 7 Bitcoins ($678,035) and the gang already published a montage of documents it alleges to have stolen from The Agency.

That montage includes passport scans of what appear to be company's clients, spreadsheets, and other internal documents. 

Rhysida's auction for the data is set to end on Thursday morning, suggesting the same deadline applies to The Agency itself to pay the gang's extortion demands.

Rhysida is a relatively inconsistent ransomware group. Unlike RansomHub and Akira, its affiliates don't tend to register the greatest number of attacks. The group didn't even reach the top ten in Huntress' analysis of the top ransomware groups from the past year. However, the attacks it pulls off are often high profile in nature.

The strike against the British Library is one of the most disruptive ransomware incidents in the UK in recent memory, albeit not quite as damaging as Qilin's attack on Synnovis last year.

The British Library didn't pay the gang's ransom demands, which amounted to roughly the same as The Agency's auction price, and early reports suggested the cost of recovery could run up to £7 million ($8.8 million). Five months after the attack, it told Civil Society that recovery costs had already reached £1.6 million ($2 million). 

• Actors can license AI voice clones in union deal
• It took Taylor Swift deepfake nudes to focus Uncle Sam, Microsoft on AI safety
• Hulk smash Musk and Zuck! Actor Mark Ruffalo and non-billionaire pals back network tech underpinning Bluesky
• Apple crushes creativity and its reputation in new iPad ad

Other high profile attacks include those on luxury yacht dealer MarineMax, which confirmed unauthorized access via a Securities and Exchange Commission (SEC) filing in March 2024, and the Port of Seattle a few months later.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory [PDF] following the British Library break-in that was laden with details about Rhysida's tradecraft. Defenders would do well to follow the guidance laid out in the document but to summarize: Patch vulnerabilities (especially in VPNs) and enable multi-factor authentication (MFA) to prevent the gang's routine credential abuse. Basic, sensible but sometimes overlooked stuff. ®