Conmen DID use leaked info of sporty civil servants... to attack HMRC

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.theregister.co.uk/2012/12/18/civil_servants_data_used_to_attack_hmrc/

Criminals used the personal data of 100,000 civil servants that was
swiped in early 2010 in an attack on HMRC around the same time, The
Register has discovered. Now, almost three years later, the government
is still scrabbling around trying to work out whodunnit... and only
recently 'fessed up to the individuals concerned that their data had
been snaffled.

Just last month, the Civil Service Sports Council informed civil
servants who signed up to access football fields and gyms through the
council that their personal details had been slurped. Now it has
emerged that their data was used as ammunition in a broadside against
the tax collectors - a previously unknown and unreported attack.

It is understood that no "individual fraud" was committed, but the
data could theoretically have been used by crims to draw ghost
benefits or even ghost salaries from the government department.
Nevertheless, until recently, none of the targets were informed that
their data had been compromised.

Leaky database was juicy target

The three-year-old attack came to light a few weeks ago when the
Sports Council revealed to its 100,000+ members that their personal
data had been stolen by hackers some time before February 2010.

A leaky database at the Civil Service Sports Council gave the crims
the opportunity to steal the names, addresses, dates of birth and
national insurance numbers of the entire sports-playing members.
Andthey did. Because the database was unencrypted and all information
was logged together, a simple SQL injection was all it would have
taken to crack the database open and filch the details.

So far so standard. No inside knowledge of the civil service's sports
club was required either: a simple crawl and probe bot - a programme
that searches the web for vulnerable databases - could have picked on
the shoddy data storage simply from roving around online. The size of
the data trove and the fact that it contained national insurance
numbers made it a particularly juicy target.

How the data could have been used to hack the government

Then it gets more complicated. The Sports Council says there is “no
evidence” that the data was used to attempt individual fraud, but does
say it was used in an attempt to defraud central government.

That doesn’t stack up for Trend Micro Security expert Rik Ferguson,
who makes a comparison to the HMRC data loss of 2007 when the personal
details of 25 million recipients of child benefits were lost after
unencrypted CDs went astray. Then there was no suggestion that the
stray data would be used against government but HMRC nevertheless had
to warn all 25 million recipients that it might be used against them
in personal fraud attacks.

“It was exactly the same data that was in Sports Council database -
names, addresses, national insurance numbers,” says Ferguson, “so I
don’t know why they suspected it would be used in a different area
this time.”

The data was used to perpetrate an attack on government according to
the Sports Council, and an HMRC spokesperson has confirmed to The
Register that the tax-collecting and benefit-dealing ministry had
suffered an attack and was investigating it.

HMRC has said it can’t comment on the investigation as it is ongoing:
so we don’t know the nature of the attack, or whether it was
successful.

We do know that it involved the personal details of the civil service
sports council members, that it happened in or before February 2010,
that it is subject to criminal investigation and we can surmise that
it was big.

Why do we think it was big? Two reasons: first that it was significant
enough for HMRC to set an internal team investigating it. Second, the
fact that the internal investigators were able to trace the cracked
data back to the sports club. If 15 or 30 jilted national insurance
numbers were used, it would have been difficult to make a connection
that led back to the Sports Council. For the investigators to track it
back, the data must have been used in sufficient quantities for them
to work out that the fraudulently used national insurance numbers came
from a single source - the Sports Council membership list.

How exactly the data could have been used to force the system is open
to speculation. A national insurance number, date of birth and address
would be all you need to set up a account, and presumably to access
benefits or even a salary, though doing it on a large scale would be
extremely complicated. Trend Micro's Ferguson says:

That data for a single person gives you everything that you need to
commit personal financial fraud, which would be fraud against a
financial institution.If you have what you need for benefit fraud,
then you have what you need for all financial fraud. Fraud is fraud.

A civil servant who spoke to The Register explained that National
Insurance numbers are used as payroll identifiers in the civil
service. Still, the attack mechanism must been relatively complex:

I don’t think it would be done in batches; they have software that
picks up patterns of behaviour like that, so only certain individuals
will have been affected.

Data will most likely be used for personal fraud

Ferguson was sceptical of the Sports Council’s assurance that the data
had not and would not be used in personal fraud attacks:

If you’re the person responsible for stealing that, you’re going to be
offering that up for sale in underground forums then that will be sold
in small amounts. That’s another argument for why you can’t have any
certainty about how the data will end up being used.

The UK's watchdog for data protection - the Information Commissioner's
Office (ICO) - the public's white knight on matters of individual data
privacy - was informed about the breach by the Sports Council just
after it found out, on 18 February 2010, but turned over the duty of
investigation to HMRC, spokesperson Greg Jones told El Reg.

Following the database ransack, the Sports Council has significantly
cleaned up their database security, it says. Pressed for a statement,
CSSC would only reiterate its initial statement to members: that there
had been a criminal investigation into the hack, that the data had
been used against government but not - to their knowledge - against
individuals.

There was no evidence of any risk to individuals since the fraud
concerned attempts to defraud central government rather than
individuals.

The CSSC would not disclose the extra development in the investigation
that meant they decided to inform all members of the breach on 25
November, two years and nine months after they found out about it. ®
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.