9 Jan 2012

Hackers publish personal data of top UK officials

Channel 4 News understands a nuclear safety official has joined MPs and MoD staff on the list of thousands of people whose personal data has been leaked onto the internet by hackers.

The addresses were on a database of subscribers to American consultancy Strategic Forecasting Inc (Stratfor), which also carried encrypted versions of the passwords used to access its website.

It was exposed by hackers, thought to be affiliated with the Anonymous group, who gained access to the database on Christmas Eve.

The email addresses of 221 Ministry of Defence officials, 242 Nato staff, 67 Scotland Yard staff, 45 civil servants from the Foreign Office, 14 from the Home Office, and seven from the Cabinet Office were all included in the leak.

Email addresses and personal data belonging to US customers of Stratfor were also published, with victims including former US Secretary of State Henry Kissinger, as well as former Vice President Dan Quayle. The database also included the email addresses of 19,000 US military personnel.

At present, there is no indication of any threat to UK government systems. UK government spokesman

Channel 4 News understands that a person at the Committee for the Protection of National Infrastructure – which oversees safety at nuclear power stations – has also had their email address published.

Labour MP Jeremy Corbyn was among 23 people who work in the Houses of Parliament whose details were obtained.

Details exposed

At least 75,000 subscribers also had their credit card numbers and addresses exposed, including 462 UK-based accounts.

Stratfor, which is based in Texas and employs around 70 staff, specialises in foreign affairs and security issues.

Read more: 'Disturbing' rise in cyber attacks on UK government

A government spokesman said: “We are aware that subscriber details for the Stratfor website have been published in the public domain. At present, there is no indication of any threat to UK government systems. Advice and guidance on such threats is issued to government departments through the Government Computer Emergency Response Team.”

Stratfor has taken down much of its website, but a message on the homepage reads: “As you may know, an unauthorized party illegally obtained and disclosed personally identifiable information and related credit card data of some of our subscribers.

“We are currently investigating this unfortunate event and are working diligently to prevent it from ever happening again. As a result, we have delayed restoring our website until we can perform a thorough security review. Stay tuned for our relaunch.

“In the meantime, our main concern is the impact on our customers. As a result, we have provided paid subscribers with identity protection coverage from CSID, a leading provider of global identity protection, at our expense for 12 months.”

What went wrong?

“It would seem almost obvious that with sensitive data belonging to large corporate and military clients their IT security would have been very strict and very difficult to penetrate. Unfortunately that was not the case.

“From our quick analysis and without going into technical detail. they failed in three very basic and cheap to implement areas: not putting sensitive data on a web server, not encrypting documents and not isolating data. It really is that easy.”

Graeme Batsman, director of Data Defender security company

The hack comes less than a week after Symantec, the top maker of security software such as Norton antivirus, confirmed that hackers had obtained a sizable part of the code its uses for its products.

Hackers calling themselves the Lords of Dharmaraja stole the code from a third party, which said it had accessed the information from the Indian military.

In a an online post, the group wrote: “As of now we start sharing with all our brothers and followers information from the Indian Military Intelligence servers, so far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI.”

Symantec said the published code was several years old, and therefore likely to be of little use to anyone who got their hands on it.

“Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued,” Cris Paden, a spokesman for Symantec, said.