Feeds

Conmen DID use leaked info of sporty civil servants... to attack HMRC

But why did gov only tell data's owners 3 years later?

The Power of One eBook: Top reasons to choose HP BladeSystem

Criminals used the personal data of 100,000 civil servants that was swiped in early 2010 in an attack on HMRC around the same time, The Register has discovered. Now, almost three years later, the government is still scrabbling around trying to work out whodunnit... and only recently 'fessed up to the individuals concerned that their data had been snaffled.

Just last month, the Civil Service Sports Council informed civil servants who signed up to access football fields and gyms through the council that their personal details had been slurped. Now it has emerged that their data was used as ammunition in a broadside against the tax collectors - a previously unknown and unreported attack.

It is understood that no "individual fraud" was committed, but the data could theoretically have been used by crims to draw ghost benefits or even ghost salaries from the government department. Nevertheless, until recently, none of the targets were informed that their data had been compromised.

Leaky database was juicy target

The three-year-old attack came to light a few weeks ago when the Sports Council revealed to its 100,000+ members that their personal data had been stolen by hackers some time before February 2010.

A leaky database at the Civil Service Sports Council gave the crims the opportunity to steal the names, addresses, dates of birth and national insurance numbers of the entire sports-playing members. And they did. Because the database was unencrypted and all information was logged together, a simple SQL injection was all it would have taken to crack the database open and filch the details.

So far so standard. No inside knowledge of the civil service's sports club was required either: a simple crawl and probe bot - a programme that searches the web for vulnerable databases - could have picked on the shoddy data storage simply from roving around online. The size of the data trove and the fact that it contained national insurance numbers made it a particularly juicy target.

How the data could have been used to hack the government

Then it gets more complicated. The Sports Council says there is “no evidence” that the data was used to attempt individual fraud, but does say it was used in an attempt to defraud central government.

That doesn’t stack up for Trend Micro Security expert Rik Ferguson, who makes a comparison to the HMRC data loss of 2007 when the personal details of 25 million recipients of child benefits were lost after unencrypted CDs went astray. Then there was no suggestion that the stray data would be used against government but HMRC nevertheless had to warn all 25 million recipients that it might be used against them in personal fraud attacks.

“It was exactly the same data that was in Sports Council database - names, addresses, national insurance numbers,” says Ferguson, “so I don’t know why they suspected it would be used in a different area this time.”

The data was used to perpetrate an attack on government according to the Sports Council, and an HMRC spokesperson has confirmed to The Register that the tax-collecting and benefit-dealing ministry had suffered an attack and was investigating it.

HMRC has said it can’t comment on the investigation as it is ongoing: so we don’t know the nature of the attack, or whether it was successful.

We do know that it involved the personal details of the civil service sports council members, that it happened in or before February 2010, that it is subject to criminal investigation and we can surmise that it was big.

Why do we think it was big? Two reasons: first that it was significant enough for HMRC to set an internal team investigating it. Second, the fact that the internal investigators were able to trace the cracked data back to the sports club. If 15 or 30 jilted national insurance numbers were used, it would have been difficult to make a connection that led back to the Sports Council. For the investigators to track it back, the data must have been used in sufficient quantities for them to work out that the fraudulently used national insurance numbers came from a single source - the Sports Council membership list.

How exactly the data could have been used to force the system is open to speculation. A national insurance number, date of birth and address would be all you need to set up a account, and presumably to access benefits or even a salary, though doing it on a large scale would be extremely complicated. Trend Micro's Ferguson says:

That data for a single person gives you everything that you need to commit personal financial fraud, which would be fraud against a financial institution.If you have what you need for benefit fraud, then you have what you need for all financial fraud. Fraud is fraud.

A civil servant who spoke to The Register explained that National Insurance numbers are used as payroll identifiers in the civil service. Still, the attack mechanism must been relatively complex:

I don’t think it would be done in batches; they have software that picks up patterns of behaviour like that, so only certain individuals will have been affected.

Data will most likely be used for personal fraud

Ferguson was sceptical of the Sports Council’s assurance that the data had not and would not be used in personal fraud attacks:

If you’re the person responsible for stealing that, you’re going to be offering that up for sale in underground forums then that will be sold in small amounts. That’s another argument for why you can’t have any certainty about how the data will end up being used.

The UK's watchdog for data protection - the Information Commissioner's Office (ICO) - the public's white knight on matters of individual data privacy - was informed about the breach by the Sports Council just after it found out, on 18 February 2010, but turned over the duty of investigation to HMRC, spokesperson Greg Jones told El Reg.

Following the database ransack, the Sports Council has significantly cleaned up their database security, it says. Pressed for a statement, CSSC would only reiterate its initial statement to members: that there had been a criminal investigation into the hack, that the data had been used against government but not - to their knowledge - against individuals.

There was no evidence of any risk to individuals since the fraud concerned attempts to defraud central government rather than individuals.

The CSSC would not disclose the extra development in the investigation that meant they decided to inform all members of the breach on 25 November, two years and nine months after they found out about it. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.