June 11, 2018 at 10:44How a server forgotten for 12 years can cost 120,000 pounds
Just a few days before the entry into force of the GDPR, the University of Greenwich was in trouble. The Information Commissioner's Office (the office of the Information Commissioner is an independent organization for monitoring compliance with the law in the UK information environment) fined the university £ 120 thousand (at the time of writing this is about 136 thousand euros, 160 thousand US dollars, 10 million Russian rubles, 4.2 million Ukrainian hryvnias) for a serious security vulnerability that led to data leakage of almost 20 thousand students and staff. How such a serious university managed to get under the distribution of ICOs and become the first university to be fined for violating DPA, and what it teaches us to read under the cut.
It all started back in 2004. Then the university held an academic conference at the Computing and Mathematics School (school of computation and mathematics), in which a microsite was created by one of the students. One of its functions was the anonymous loading of documents. The conference passed, and they simply forgot about the server. No one turned it off, formatted it, or updated it. He simply rustled quietly in a corner for many years (we envy the university’s budgets that let us forget about the servers and the energy they consume).
Finally, in 2013, i.e. 9 (!) years later, the first cracker reached the server and successfully used the anonymous download function to compromise the microsite. And nobody successfully noticed this. What is quite predictable - how can one see hacking on the server if they have not paid attention to the server for 9 years already? ..
A few more times hackers penetrated the university network in 2016 using SQL and PHP vulnerabilities that were not updated at that time 12 years. And again, this was not noticed immediately. They only learned about hacking and dumping data when one of the hackers posted it entirely on Pastebin.
And they leaked a lot. The personal information of approximately 19,500 students, graduates and university staff, including names, addresses, and telephones, was made publicly available. As well as more sensitive data of 3,500 people, which included not only justification for absenteeism, but also data on difficulties with education, diseases, etc.
The university acknowledged its mistake and carried out a “general cleaning” with the aim of significantly increasing the security of its internal resources.
The situation turned out to be curious, but very instructive. And lessons can be learned from different perspectives.
Given that the decision was made just a few days before the entry into force of the GDPR, many consider the situation, including from the perspective of this directive. In this case, the university is considered as a controller of personal data and, accordingly, is responsible for ensuring their safety. Even despite the fact that the site was created a long time ago, in one of the departments of the university and, apparently, without the knowledge of the IT department.
The amount of the fine could have been higher if the situation had occurred after the entry into force of the new regulation. If, according to the old rules, an ICO can impose fines of up to 500 thousand pounds (about 560 thousand euros), the GDPR implies fines of up to 20 million euros or 4% of the annual global turnover (a larger option).
The larger the structure, the more difficult it is to keep records. Especially if the structure has sufficiently autonomous units, such as faculties or remote offices / production. But this is not an excuse for accounting.
Responsible IT departments should once again refresh in memory a couple of simple rules that would help to avoid this situation:
If at least someone this article encourages to audit their resources, especially those that have served their own, then my day was not wasted.
The Information Commissioner's Office is a British organization created to protect and uphold information rights in the public interest. It has a number of obligations under the Data Protection Act 1998, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Privacy and Electronic Communications Regulations 2003 (Regulation privacy and electronic communications).
Among the tasks of the office is the adjustment of the behavior of organizations and persons collecting, processing and using personal data. At his disposal is a wide arsenal of mechanisms of influence, from audit to fines and criminal prosecution. Some cases from their practice may be surprised or even envied.
One can only hope that a civilized and respectful attitude towards data will come to our territories sooner or later.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read aboutHow to build the infrastructure of the building. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?
It all started back in 2004. Then the university held an academic conference at the Computing and Mathematics School (school of computation and mathematics), in which a microsite was created by one of the students. One of its functions was the anonymous loading of documents. The conference passed, and they simply forgot about the server. No one turned it off, formatted it, or updated it. He simply rustled quietly in a corner for many years (we envy the university’s budgets that let us forget about the servers and the energy they consume).
Finally, in 2013, i.e. 9 (!) years later, the first cracker reached the server and successfully used the anonymous download function to compromise the microsite. And nobody successfully noticed this. What is quite predictable - how can one see hacking on the server if they have not paid attention to the server for 9 years already? ..
A few more times hackers penetrated the university network in 2016 using SQL and PHP vulnerabilities that were not updated at that time 12 years. And again, this was not noticed immediately. They only learned about hacking and dumping data when one of the hackers posted it entirely on Pastebin.
And they leaked a lot. The personal information of approximately 19,500 students, graduates and university staff, including names, addresses, and telephones, was made publicly available. As well as more sensitive data of 3,500 people, which included not only justification for absenteeism, but also data on difficulties with education, diseases, etc.
The university acknowledged its mistake and carried out a “general cleaning” with the aim of significantly increasing the security of its internal resources.
What does this teach us?
The situation turned out to be curious, but very instructive. And lessons can be learned from different perspectives.
In terms of GDPR
Given that the decision was made just a few days before the entry into force of the GDPR, many consider the situation, including from the perspective of this directive. In this case, the university is considered as a controller of personal data and, accordingly, is responsible for ensuring their safety. Even despite the fact that the site was created a long time ago, in one of the departments of the university and, apparently, without the knowledge of the IT department.
The amount of the fine could have been higher if the situation had occurred after the entry into force of the new regulation. If, according to the old rules, an ICO can impose fines of up to 500 thousand pounds (about 560 thousand euros), the GDPR implies fines of up to 20 million euros or 4% of the annual global turnover (a larger option).
From the perspective of large organizations
The larger the structure, the more difficult it is to keep records. Especially if the structure has sufficiently autonomous units, such as faculties or remote offices / production. But this is not an excuse for accounting.
Responsible IT departments should once again refresh in memory a couple of simple rules that would help to avoid this situation:
- Update regularly. In fact, the rule is obvious, it was even embarrassing to write. But in many ways it was his non-compliance that led to the consequences described above.
- Take out the trash on time. How often do we create some temporary sites, files, open folders, accounts with primitive passwords to perform one-time short-term tasks? I think many do it sometimes. But sometimes we forget to delete them immediately after the task is completed, and thereby open a certain security hole. Who knows how soon someone will find your test.php with direct access to the database? ..
If at least someone this article encourages to audit their resources, especially those that have served their own, then my day was not wasted.
For reference
The Information Commissioner's Office is a British organization created to protect and uphold information rights in the public interest. It has a number of obligations under the Data Protection Act 1998, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Privacy and Electronic Communications Regulations 2003 (Regulation privacy and electronic communications).
Among the tasks of the office is the adjustment of the behavior of organizations and persons collecting, processing and using personal data. At his disposal is a wide arsenal of mechanisms of influence, from audit to fines and criminal prosecution. Some cases from their practice may be surprised or even envied.
- Costelloe and Kelly Limited was fined £ 19,000 for sending out over 260,000 spam messages advertising funeral packages.
- The Royal Postal Service was fined £ 12,000 for spamming unsubscribed users.
- The Royal Prosecution Service has been fined £ 325,000 for the loss of unencrypted police interrogation DVDs relating to the cases of 15 victims of child sexual abuse. And this was the second case of data loss by the prosecution service. Not only in our countries a mess ...
- A former employment consultant broke up with more than a thousand pounds for dumping data from the employer's database. And who among you merged repositories or client bases before leaving the company? ;)
- The Bible community paid a hundred thousand pounds for the vulnerability, due to which information was collected about 417 thousand people who support the organization. Including information on bank cards and accounts of people who donated.
- An employee of the local government education department was fined £ 1,500 for sending personal information to students and their parents via Snapchat. And after all I didn’t plan anything bad. A parent living separately wanted some information about his child. But since the camera on the phone does not know how to remove only one line of the tablet; the parent received personal data of 37 students and their parents, including names, addresses, dates of birth and social security numbers. And by the way, she no longer works there.
One can only hope that a civilized and respectful attitude towards data will come to our territories sooner or later.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read aboutHow to build the infrastructure of the building. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?