Feeds

Conmen DID use leaked info of sporty civil servants... to attack HMRC

But why did gov only tell data's owners 3 years later?

High performance access to file storage

Criminals used the personal data of 100,000 civil servants that was swiped in early 2010 in an attack on HMRC around the same time, The Register has discovered. Now, almost three years later, the government is still scrabbling around trying to work out whodunnit... and only recently 'fessed up to the individuals concerned that their data had been snaffled.

Just last month, the Civil Service Sports Council informed civil servants who signed up to access football fields and gyms through the council that their personal details had been slurped. Now it has emerged that their data was used as ammunition in a broadside against the tax collectors - a previously unknown and unreported attack.

It is understood that no "individual fraud" was committed, but the data could theoretically have been used by crims to draw ghost benefits or even ghost salaries from the government department. Nevertheless, until recently, none of the targets were informed that their data had been compromised.

Leaky database was juicy target

The three-year-old attack came to light a few weeks ago when the Sports Council revealed to its 100,000+ members that their personal data had been stolen by hackers some time before February 2010.

A leaky database at the Civil Service Sports Council gave the crims the opportunity to steal the names, addresses, dates of birth and national insurance numbers of the entire sports-playing members. And they did. Because the database was unencrypted and all information was logged together, a simple SQL injection was all it would have taken to crack the database open and filch the details.

So far so standard. No inside knowledge of the civil service's sports club was required either: a simple crawl and probe bot - a programme that searches the web for vulnerable databases - could have picked on the shoddy data storage simply from roving around online. The size of the data trove and the fact that it contained national insurance numbers made it a particularly juicy target.

How the data could have been used to hack the government

Then it gets more complicated. The Sports Council says there is “no evidence” that the data was used to attempt individual fraud, but does say it was used in an attempt to defraud central government.

That doesn’t stack up for Trend Micro Security expert Rik Ferguson, who makes a comparison to the HMRC data loss of 2007 when the personal details of 25 million recipients of child benefits were lost after unencrypted CDs went astray. Then there was no suggestion that the stray data would be used against government but HMRC nevertheless had to warn all 25 million recipients that it might be used against them in personal fraud attacks.

“It was exactly the same data that was in Sports Council database - names, addresses, national insurance numbers,” says Ferguson, “so I don’t know why they suspected it would be used in a different area this time.”

The data was used to perpetrate an attack on government according to the Sports Council, and an HMRC spokesperson has confirmed to The Register that the tax-collecting and benefit-dealing ministry had suffered an attack and was investigating it.

HMRC has said it can’t comment on the investigation as it is ongoing: so we don’t know the nature of the attack, or whether it was successful.

We do know that it involved the personal details of the civil service sports council members, that it happened in or before February 2010, that it is subject to criminal investigation and we can surmise that it was big.

Why do we think it was big? Two reasons: first that it was significant enough for HMRC to set an internal team investigating it. Second, the fact that the internal investigators were able to trace the cracked data back to the sports club. If 15 or 30 jilted national insurance numbers were used, it would have been difficult to make a connection that led back to the Sports Council. For the investigators to track it back, the data must have been used in sufficient quantities for them to work out that the fraudulently used national insurance numbers came from a single source - the Sports Council membership list.

How exactly the data could have been used to force the system is open to speculation. A national insurance number, date of birth and address would be all you need to set up a account, and presumably to access benefits or even a salary, though doing it on a large scale would be extremely complicated. Trend Micro's Ferguson says:

That data for a single person gives you everything that you need to commit personal financial fraud, which would be fraud against a financial institution.If you have what you need for benefit fraud, then you have what you need for all financial fraud. Fraud is fraud.

A civil servant who spoke to The Register explained that National Insurance numbers are used as payroll identifiers in the civil service. Still, the attack mechanism must been relatively complex:

I don’t think it would be done in batches; they have software that picks up patterns of behaviour like that, so only certain individuals will have been affected.

Data will most likely be used for personal fraud

Ferguson was sceptical of the Sports Council’s assurance that the data had not and would not be used in personal fraud attacks:

If you’re the person responsible for stealing that, you’re going to be offering that up for sale in underground forums then that will be sold in small amounts. That’s another argument for why you can’t have any certainty about how the data will end up being used.

The UK's watchdog for data protection - the Information Commissioner's Office (ICO) - the public's white knight on matters of individual data privacy - was informed about the breach by the Sports Council just after it found out, on 18 February 2010, but turned over the duty of investigation to HMRC, spokesperson Greg Jones told El Reg.

Following the database ransack, the Sports Council has significantly cleaned up their database security, it says. Pressed for a statement, CSSC would only reiterate its initial statement to members: that there had been a criminal investigation into the hack, that the data had been used against government but not - to their knowledge - against individuals.

There was no evidence of any risk to individuals since the fraud concerned attempts to defraud central government rather than individuals.

The CSSC would not disclose the extra development in the investigation that meant they decided to inform all members of the breach on 25 November, two years and nine months after they found out about it. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.