Hackers breach website for SF transit agency police
Data for 102 cops aired to protest BART
Hackers breached the website belonging to a police union and posted sensitive personal information for more than 100 officers who work for a San Francisco regional transit authority.
The breach of bartpoa.com was the second time in less than a week that websites affiliated with Bay Area Rapid Transit have been targeted by hackers. Over the weekend, people claiming to be members of the Anonymous hacking collective said they were protesting BART by publishing personal information for more than 2,000 passengers who had nothing to do with the agency's management.
People claiming to be members of Anonymous took credit for the attack that exposed passenger data. It was less clear what role the group had in Wednesday's breach.
“The leak today of BART officer data could be the work sanctioned by those who truly support anonymous, or agent provocateurs,” a tweet from AnonyOps said. “Stay skeptical.”
A later dispatch on the microblogging site said: “People who are against anonymous know they can do things under the name 'anonymous' and never be questioned. This is anonymous, defined.”
A posting on Pastebin.com listed the names, home and email addresses and site passwords of 102 BART police officers. At time of writing, bartpoa.com was inaccessible.
It's unclear exactly how the hackers compromised the police officer data.
The hackers in the earlier attack claimed to access the passenger information by exploiting a rudimentary security flaw in MyBart.org, which is owned by BART. BART officials have declined to say whether the site was ever reviewed by outside security auditors.
The attacks follow a controversial move to disable cellular service in at least four San Francisco BART stations last week. BART management took that action to disrupt a planned demonstration that protesters were organizing online. BART officials said its decision to turn off the nodes that connected carriers to underground antennas was legal and necessary to prevent unsafe conditions in confined spaces. Critics have compared the move to those taken by former Egyptian President Hosni Mubarak to quash protests against his rule.
The BART demonstrations were protesting the fatal shooting by BART police in July of a homeless man who allegedly brandished a knife as he lunged at officers. ®
Is it not time that data holders took security seriously?
It seems their standard response is "we would have got away with it, if it hadn't been for those interfering kids (and their pesky dog)."
Perhaps they could start by asking if they really need to collect the data in the first place, and if they do, does it really need to be made available on-line.
Here is a helpful hint for any data holders who might be reading this:- Ask your site designer what an SQL injection attack is and how they are carried out. If they don't know, then get another site designer.
maybe they can turn off the internet
It works for cellphones, why not just shut off the net?
"Tech guys stickin' it to Da Man" vs the risk that people might be targeted by the "They're all part of The Machine so they deserve it" brigade? (Seen one of the latter here, sad to say.) I don't see any moral ambiguity where innocents could be harmed by malicious parties. Sure, they could always follow the officers home or whatever, but that doesn't justify this sort of thing, does it?