A coward exposes personal information on 40% of Chileans
Technorati Tag: Security Breach
Date Reported:
5/10/08
Organization:
Chilean Government
Contractor/Consultant/Branch:
None
Victims:
Chilean residents
Number Affected:
~6,000,000
Types of Data:
"names, addresses, telephone numbers and taxpayer identification numbers"
Breach Description:
"An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy problems in the country. The data was posted early Saturday morning on Fayerwayer.com, a popular Chilean technology blog."
Reference URL:
Fayerwayer.com Alert
ABC News
The Tech Herald
International Herald Tribune
vnunet.com
Report Credit:
JI Stark, Fayerwayer.com
Response:
From the online sources cited above:
ORIGINAL POST TEXT GOOGLE TRANSLATED
Something really horrible has just come to our comments. Moments after writing about the purchase of Inquisitor by Yahoo, an anonymous comment left three links to download two files that contain databases in CSV of public and private institutions where there is sensitive information of millions of Chileans, like RUN - Role purely national identification number Chilean -, socio-economic data, electoral, educational, addresses, and telephone numbers individuals, among others.
We urge that these files if they see us please not download or disseminated by any electronic means.
It is extremely dangerous what can happen - and what can happen to you, as the only disseminate is an offence punishable by law - in the case that such senstive data failling to the hands unscrupulous. It seriously.
Update 02:46 AM (GMT -4): The team of FireWire is doing everything in its power at this time to cooperate and ensure that this situation is resolved as soon as possible.
Update 03:25 AM (GMT -4): The topics in our forums with links to the files were deleted. The FireWire forums require registration, so that data - although most likely false, including IP's mask - will be put in the hands of the authorities.
Update 04:45 PM (GMT -4): The Cybercrime Brigade of the Investigative Police of Chile already contacted us, told us about the progress of the investigation that is already under way and we extend all cooperation that is within our grasp.
END OF ORIGINAL POST TEXT
A hacker has obtained the personal details of around six million Chileans from government and military servers and posted them on a technology blog.
[Evan] "Anonymous Coward" posted the information in the comments of the purchase of Inquisitor by Yahoo posting on Fayerwayer.
The hacker, who calls himself "Anonymous Coward," posted three compressed files of data that included names, addresses, telephone numbers and taxpayer identification numbers for Chilean residents, said Leo Prieto, Fayerwayer.com's director.
The data was taken early Friday from servers at the Education Ministry, the electoral service and the military
it was first reported to police early Saturday by Leo Prieto, the administrator of a local technology-oriented Internet site who discovered links to the information online.
Among the data was a list of students who receive preferential public transportation rates, including one of President Michelle Bachelet's two daughters
Despite the information's prompt removal from the Internet, some people may have downloaded it "and it may still be around on the Internet,"
over the following days the files started popping up on other sites including Google's Blogger
[Evan] You can't un-disclose confidential information. Once the confidentiality of information has been compromised, it is always going to be compromised.
Reports claim that the hacker performed the stunt to highlight poor levels of data protection in Chile.
[Evan] What idiot would pull such a stunt and claim such a ridiculous justification?
In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country
[Evan] This is the worst way to draw attention to poor data protection. What "Anonymous Coward" did was create 6,000,000+ enemies and put his/her well-being at risk. He/she caused an extraordinary amount of harm to almost 40% of Chile's population and made a complete ass out of him/herself.
El Mercurio reported that it had access to some of the data, including a file in which the hacker said he intended "to demonstrate how poorly protected the data in Chile is, and how nobody works to protect it."
The files include tips on what to do with the data and how best to access it.
"Chile may be on the other side of the world, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant at security firm Sophos.
"No matter how moral or ethical the motive, this prank was irresponsible and has left almost 40 per cent of Chile's population at risk of identity theft."
Cluley added that all organisations around the world should see this as a wake-up call and ensure that all personal and sensitive information is stored securely.
[Evan] You would think that the 94,000,000 credit card numbers stolen from TJX, or the 26,500,000 Social Security numbers on the stolen Veterans Affairs laptop, or the 25,000,000 personal records lost on CDs from HM Customs and Revenue would wake organizations up. There is still this illogical thought in organizations that "this will never happen to us". It DOES and IT WILL. I'm not even going to get into information security personnel that lack skill and have business leaders fooled into thinking that they are doing the right thing(s).
"Whether or not the loss results in a fine is almost irrelevant; the consequences of falling victim to such an attack can mean irreversible damage to reputation and customer confidence."
[Evan] I couldn't agree with Mr. Cluley any more. This is a guy that "gets it".
Commentary:
Unbelievable. The evil in some people. So let's say that "Anonymous Coward" is caught (I think chances are better that 50/50). Now what? How do you punish someone whose actions put 6,000,000 people at risk of losing their identities. These people will live with some level of fear for a very long time. Punishment will be severe, but how severe is enough? This will be an interesting story to follow.
Let's not lose sight of another issue with this breach. What is the Chilean government doing to protect confidential information and what does it intend to do in response to this breach? Obviously the government needs to secure information better, but how will they respond to 40% of their residents being exposed to fraud and all that comes with it? I don't know what can be done short of re-assigning government issued identifiers to Chilean residents. This breach (or series of breaches) could be very costly to residents, the Chilean economy and the government.
Past Breaches:
Unknown
Date Reported:5/10/08
Organization:
Chilean Government
Contractor/Consultant/Branch:
None
Victims:
Chilean residents
Number Affected:
~6,000,000
Types of Data:
"names, addresses, telephone numbers and taxpayer identification numbers"
Breach Description:
"An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy problems in the country. The data was posted early Saturday morning on Fayerwayer.com, a popular Chilean technology blog."
Reference URL:
Fayerwayer.com Alert
ABC News
The Tech Herald
International Herald Tribune
vnunet.com
Report Credit:
JI Stark, Fayerwayer.com
Response:
From the online sources cited above:
ORIGINAL POST TEXT GOOGLE TRANSLATED
Something really horrible has just come to our comments. Moments after writing about the purchase of Inquisitor by Yahoo, an anonymous comment left three links to download two files that contain databases in CSV of public and private institutions where there is sensitive information of millions of Chileans, like RUN - Role purely national identification number Chilean -, socio-economic data, electoral, educational, addresses, and telephone numbers individuals, among others.
We urge that these files if they see us please not download or disseminated by any electronic means.
It is extremely dangerous what can happen - and what can happen to you, as the only disseminate is an offence punishable by law - in the case that such senstive data failling to the hands unscrupulous. It seriously.
Update 02:46 AM (GMT -4): The team of FireWire is doing everything in its power at this time to cooperate and ensure that this situation is resolved as soon as possible.
Update 03:25 AM (GMT -4): The topics in our forums with links to the files were deleted. The FireWire forums require registration, so that data - although most likely false, including IP's mask - will be put in the hands of the authorities.
Update 04:45 PM (GMT -4): The Cybercrime Brigade of the Investigative Police of Chile already contacted us, told us about the progress of the investigation that is already under way and we extend all cooperation that is within our grasp.
END OF ORIGINAL POST TEXT
A hacker has obtained the personal details of around six million Chileans from government and military servers and posted them on a technology blog.
[Evan] "Anonymous Coward" posted the information in the comments of the purchase of Inquisitor by Yahoo posting on Fayerwayer.
The hacker, who calls himself "Anonymous Coward," posted three compressed files of data that included names, addresses, telephone numbers and taxpayer identification numbers for Chilean residents, said Leo Prieto, Fayerwayer.com's director.
The data was taken early Friday from servers at the Education Ministry, the electoral service and the military
it was first reported to police early Saturday by Leo Prieto, the administrator of a local technology-oriented Internet site who discovered links to the information online.
Among the data was a list of students who receive preferential public transportation rates, including one of President Michelle Bachelet's two daughters
Despite the information's prompt removal from the Internet, some people may have downloaded it "and it may still be around on the Internet,"
over the following days the files started popping up on other sites including Google's Blogger
[Evan] You can't un-disclose confidential information. Once the confidentiality of information has been compromised, it is always going to be compromised.
Reports claim that the hacker performed the stunt to highlight poor levels of data protection in Chile.
[Evan] What idiot would pull such a stunt and claim such a ridiculous justification?
In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country
[Evan] This is the worst way to draw attention to poor data protection. What "Anonymous Coward" did was create 6,000,000+ enemies and put his/her well-being at risk. He/she caused an extraordinary amount of harm to almost 40% of Chile's population and made a complete ass out of him/herself.
El Mercurio reported that it had access to some of the data, including a file in which the hacker said he intended "to demonstrate how poorly protected the data in Chile is, and how nobody works to protect it."
The files include tips on what to do with the data and how best to access it.
"Chile may be on the other side of the world, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant at security firm Sophos.
"No matter how moral or ethical the motive, this prank was irresponsible and has left almost 40 per cent of Chile's population at risk of identity theft."
Cluley added that all organisations around the world should see this as a wake-up call and ensure that all personal and sensitive information is stored securely.
[Evan] You would think that the 94,000,000 credit card numbers stolen from TJX, or the 26,500,000 Social Security numbers on the stolen Veterans Affairs laptop, or the 25,000,000 personal records lost on CDs from HM Customs and Revenue would wake organizations up. There is still this illogical thought in organizations that "this will never happen to us". It DOES and IT WILL. I'm not even going to get into information security personnel that lack skill and have business leaders fooled into thinking that they are doing the right thing(s).
"Whether or not the loss results in a fine is almost irrelevant; the consequences of falling victim to such an attack can mean irreversible damage to reputation and customer confidence."
[Evan] I couldn't agree with Mr. Cluley any more. This is a guy that "gets it".
Commentary:
Unbelievable. The evil in some people. So let's say that "Anonymous Coward" is caught (I think chances are better that 50/50). Now what? How do you punish someone whose actions put 6,000,000 people at risk of losing their identities. These people will live with some level of fear for a very long time. Punishment will be severe, but how severe is enough? This will be an interesting story to follow.
Let's not lose sight of another issue with this breach. What is the Chilean government doing to protect confidential information and what does it intend to do in response to this breach? Obviously the government needs to secure information better, but how will they respond to 40% of their residents being exposed to fraud and all that comes with it? I don't know what can be done short of re-assigning government issued identifiers to Chilean residents. This breach (or series of breaches) could be very costly to residents, the Chilean economy and the government.
Past Breaches:
Unknown
Posts Atom 1.0
Comments