"illegal hacking" exposes Foothills Park & Recreation District patron information
Technorati Tag: Security Breach
Date Reported:
10/1/08
Organization:
Jefferson County (CO)
Contractor/Consultant/Branch:
Foothills Park & Recreation District
Location:
Littleton, Colorado
Victims:
Patrons
Number Affected:
Unknown*
*According to Executive Director Ronald Hopp, the number is "very significant"
Types of Data:
"personal information, including credit card numbers"
Breach Description:
"Foothills Park & Recreation District in South Jefferson County is working with the Jefferson County Sheriff’s Office in the investigation of a theft of information from the district’s computer network."
Reference URL:
Foothills Park & Recreation District SECURITY ALERT
Foothills Park & Recreation District Full Press Release
Denver Channel 7 News
KUSA Channel 9 News
Report Credit:
Ronald Hopp, Executive Director of the Foothills Park & Recreation District
Response:
From the online sources cited above:
Foothills Park & Recreation District in South Jefferson County is working with the
Jefferson County Sheriff’s Office in the investigation of a theft of information from the
district’s computer network.
[Evan] It's not clear if unauthorized access was gained to information resources residing on the district internal network or just the website infrastructure, assuming that the district employs network segregation.
The information - that appears to have been accessed through an illegal hacking - could contain credit card information and other personal information that could be used to commit identity theft.
If information has, in fact, been stolen, it appears to be credit card information for individuals who have registered for classes either online at www.ifoothills.org or at one of Foothills Park & Recreation District’s facilities.
Foothills Executive Director Ronald Hopp said, "It is very disturbing that despite the
security measures that were in effect, a rogue hacker was still successful in obtaining
this information."
[Evan] I am always curious to read or hear what a business leader means by "security measures". What security measures were in effect? It wasn't all that long ago when a firewall by itself was considered adequate by some business owners/leaders. Do you suppose some business owners/leader think this way today?
He went on to state, "Additional protections are being installed, and on-line registration will not be available until these measures are implemented."
[Evan] We don't know what was in place to begin. I'll take effective protections over additional protections any day.
Foothills Executive Director Ronald Hopp said they started having trouble with the Web site last week.
[Evan] This is important to note. If something seems unusual or out of place it means that something has probably changed. If something has changed and there is no authorized and obvious cause, it must be investigated immediately.
Originally the problem seemed to be a virus, but, he said, they now believe it was a cover for someone to hack the site and steal personal information.
Technical staff discovered Monday morning that the files were compromised and possibly stolen
the number of people affected would be "very significant."
the district has hired a network security consultant who will be auditing the systems and making recommendations for future security measures, and all internal systems and processes are being reviewed in an effort to eliminate the possibility of this happening again.
[Evan] I wonder why organizations don't publicize the experts and consultants that they bring in as a response to a breach.
Individual patrons whose information may have been compromised will be notified by
Foothills Park & Recreation District directly and provided with additional information.
The district has created an information page on its website (www.ifoothills.org/securityalert/) for individuals who are concerned that their information may have been on the network.
The Foothills website is largely unavailable after the security breach. (Source: The Foothills Park & Recreation District website)
In addition, the district has set up a special number at to answer specific questions not addressed on the website.
Commentary:
I have more questions than answers. Was this breach the result of an attack on the web site, originating purely from a direct external source? Was this breach the result of an attack originating through an infected client computer on the district network? Did the breach only affect a single system? Was the district's infrastructure PCI compliant? Why is it suggested that this was a two-prong attack (one diversionary attack to draw attention away from the intrusion attack)?
Its good that district has brought in a consultant (hopefully a good one) and it should be appreciated that notification has been swift.
An interesting note:
We found that the same server that hosts the Foothills Park & Recreation District website also hosts the Columbine Memorial website, both running Microsoft IIS. The Columbine Memorial website donations are processed through PayPal, so online donors to the Columbine Memorial will likely be unaffected by this breach. The Foothills Park & Recreation District site appears to have been processing it’s own payments. View source on this page if you want to go further. I'm onto other things now
.
Past Breaches:
Unknown
Date Reported:10/1/08
Organization:
Jefferson County (CO)
Contractor/Consultant/Branch:
Foothills Park & Recreation District
Location:
Littleton, Colorado
Victims:
Patrons
Number Affected:
Unknown*
*According to Executive Director Ronald Hopp, the number is "very significant"
Types of Data:
"personal information, including credit card numbers"
Breach Description:
"Foothills Park & Recreation District in South Jefferson County is working with the Jefferson County Sheriff’s Office in the investigation of a theft of information from the district’s computer network."
Reference URL:
Foothills Park & Recreation District SECURITY ALERT
Foothills Park & Recreation District Full Press Release
Denver Channel 7 News
KUSA Channel 9 News
Report Credit:
Ronald Hopp, Executive Director of the Foothills Park & Recreation District
Response:
From the online sources cited above:
Foothills Park & Recreation District in South Jefferson County is working with the
Jefferson County Sheriff’s Office in the investigation of a theft of information from the
district’s computer network.
[Evan] It's not clear if unauthorized access was gained to information resources residing on the district internal network or just the website infrastructure, assuming that the district employs network segregation.
The information - that appears to have been accessed through an illegal hacking - could contain credit card information and other personal information that could be used to commit identity theft.
If information has, in fact, been stolen, it appears to be credit card information for individuals who have registered for classes either online at www.ifoothills.org or at one of Foothills Park & Recreation District’s facilities.
Foothills Executive Director Ronald Hopp said, "It is very disturbing that despite the
security measures that were in effect, a rogue hacker was still successful in obtaining
this information."
[Evan] I am always curious to read or hear what a business leader means by "security measures". What security measures were in effect? It wasn't all that long ago when a firewall by itself was considered adequate by some business owners/leaders. Do you suppose some business owners/leader think this way today?
He went on to state, "Additional protections are being installed, and on-line registration will not be available until these measures are implemented."
[Evan] We don't know what was in place to begin. I'll take effective protections over additional protections any day.
Foothills Executive Director Ronald Hopp said they started having trouble with the Web site last week.
[Evan] This is important to note. If something seems unusual or out of place it means that something has probably changed. If something has changed and there is no authorized and obvious cause, it must be investigated immediately.
Originally the problem seemed to be a virus, but, he said, they now believe it was a cover for someone to hack the site and steal personal information.
Technical staff discovered Monday morning that the files were compromised and possibly stolen
the number of people affected would be "very significant."
the district has hired a network security consultant who will be auditing the systems and making recommendations for future security measures, and all internal systems and processes are being reviewed in an effort to eliminate the possibility of this happening again.
[Evan] I wonder why organizations don't publicize the experts and consultants that they bring in as a response to a breach.
Individual patrons whose information may have been compromised will be notified by
Foothills Park & Recreation District directly and provided with additional information.
The district has created an information page on its website (www.ifoothills.org/securityalert/) for individuals who are concerned that their information may have been on the network.
The Foothills website is largely unavailable after the security breach. (Source: The Foothills Park & Recreation District website)
In addition, the district has set up a special number at to answer specific questions not addressed on the website.
Commentary:
I have more questions than answers. Was this breach the result of an attack on the web site, originating purely from a direct external source? Was this breach the result of an attack originating through an infected client computer on the district network? Did the breach only affect a single system? Was the district's infrastructure PCI compliant? Why is it suggested that this was a two-prong attack (one diversionary attack to draw attention away from the intrusion attack)?
Its good that district has brought in a consultant (hopefully a good one) and it should be appreciated that notification has been swift.
An interesting note:
We found that the same server that hosts the Foothills Park & Recreation District website also hosts the Columbine Memorial website, both running Microsoft IIS. The Columbine Memorial website donations are processed through PayPal, so online donors to the Columbine Memorial will likely be unaffected by this breach. The Foothills Park & Recreation District site appears to have been processing it’s own payments. View source on this page if you want to go further. I'm onto other things now
.Past Breaches:
Unknown
Posted by Evan Francen at 10/2/2008 12:04 PM 
Categories: Hack, Foothills Park and Recreation District
Categories: Hack, Foothills Park and Recreation District
Posts Atom 1.0
What security measures had been taken by Foothills? Did the park have any encryption on their systems?
It's curious that the system administrators did not recognize the hack earlier. Even more curious is the fact that identity theft has become so common, it seems special measures would be taken against credit card information logged on ANY website, regardless of its popularity. And since the number of people potentially affected would be "very significant," shouldn't the park take further precaution to protect their obviously large base of users?
It is quite a shame that all of this sensitive information could be immediately retrieved with the proper security measures.
Reply to this