Feeds

Conmen DID use leaked info of sporty civil servants... to attack HMRC

But why did gov only tell data's owners 3 years later?

Choosing a cloud hosting partner with confidence

Criminals used the personal data of 100,000 civil servants that was swiped in early 2010 in an attack on HMRC around the same time, The Register has discovered. Now, almost three years later, the government is still scrabbling around trying to work out whodunnit... and only recently 'fessed up to the individuals concerned that their data had been snaffled.

Just last month, the Civil Service Sports Council informed civil servants who signed up to access football fields and gyms through the council that their personal details had been slurped. Now it has emerged that their data was used as ammunition in a broadside against the tax collectors - a previously unknown and unreported attack.

It is understood that no "individual fraud" was committed, but the data could theoretically have been used by crims to draw ghost benefits or even ghost salaries from the government department. Nevertheless, until recently, none of the targets were informed that their data had been compromised.

Leaky database was juicy target

The three-year-old attack came to light a few weeks ago when the Sports Council revealed to its 100,000+ members that their personal data had been stolen by hackers some time before February 2010.

A leaky database at the Civil Service Sports Council gave the crims the opportunity to steal the names, addresses, dates of birth and national insurance numbers of the entire sports-playing members. And they did. Because the database was unencrypted and all information was logged together, a simple SQL injection was all it would have taken to crack the database open and filch the details.

So far so standard. No inside knowledge of the civil service's sports club was required either: a simple crawl and probe bot - a programme that searches the web for vulnerable databases - could have picked on the shoddy data storage simply from roving around online. The size of the data trove and the fact that it contained national insurance numbers made it a particularly juicy target.

How the data could have been used to hack the government

Then it gets more complicated. The Sports Council says there is “no evidence” that the data was used to attempt individual fraud, but does say it was used in an attempt to defraud central government.

That doesn’t stack up for Trend Micro Security expert Rik Ferguson, who makes a comparison to the HMRC data loss of 2007 when the personal details of 25 million recipients of child benefits were lost after unencrypted CDs went astray. Then there was no suggestion that the stray data would be used against government but HMRC nevertheless had to warn all 25 million recipients that it might be used against them in personal fraud attacks.

“It was exactly the same data that was in Sports Council database - names, addresses, national insurance numbers,” says Ferguson, “so I don’t know why they suspected it would be used in a different area this time.”

The data was used to perpetrate an attack on government according to the Sports Council, and an HMRC spokesperson has confirmed to The Register that the tax-collecting and benefit-dealing ministry had suffered an attack and was investigating it.

HMRC has said it can’t comment on the investigation as it is ongoing: so we don’t know the nature of the attack, or whether it was successful.

We do know that it involved the personal details of the civil service sports council members, that it happened in or before February 2010, that it is subject to criminal investigation and we can surmise that it was big.

Why do we think it was big? Two reasons: first that it was significant enough for HMRC to set an internal team investigating it. Second, the fact that the internal investigators were able to trace the cracked data back to the sports club. If 15 or 30 jilted national insurance numbers were used, it would have been difficult to make a connection that led back to the Sports Council. For the investigators to track it back, the data must have been used in sufficient quantities for them to work out that the fraudulently used national insurance numbers came from a single source - the Sports Council membership list.

How exactly the data could have been used to force the system is open to speculation. A national insurance number, date of birth and address would be all you need to set up a account, and presumably to access benefits or even a salary, though doing it on a large scale would be extremely complicated. Trend Micro's Ferguson says:

That data for a single person gives you everything that you need to commit personal financial fraud, which would be fraud against a financial institution.If you have what you need for benefit fraud, then you have what you need for all financial fraud. Fraud is fraud.

A civil servant who spoke to The Register explained that National Insurance numbers are used as payroll identifiers in the civil service. Still, the attack mechanism must been relatively complex:

I don’t think it would be done in batches; they have software that picks up patterns of behaviour like that, so only certain individuals will have been affected.

Data will most likely be used for personal fraud

Ferguson was sceptical of the Sports Council’s assurance that the data had not and would not be used in personal fraud attacks:

If you’re the person responsible for stealing that, you’re going to be offering that up for sale in underground forums then that will be sold in small amounts. That’s another argument for why you can’t have any certainty about how the data will end up being used.

The UK's watchdog for data protection - the Information Commissioner's Office (ICO) - the public's white knight on matters of individual data privacy - was informed about the breach by the Sports Council just after it found out, on 18 February 2010, but turned over the duty of investigation to HMRC, spokesperson Greg Jones told El Reg.

Following the database ransack, the Sports Council has significantly cleaned up their database security, it says. Pressed for a statement, CSSC would only reiterate its initial statement to members: that there had been a criminal investigation into the hack, that the data had been used against government but not - to their knowledge - against individuals.

There was no evidence of any risk to individuals since the fraud concerned attempts to defraud central government rather than individuals.

The CSSC would not disclose the extra development in the investigation that meant they decided to inform all members of the breach on 25 November, two years and nine months after they found out about it. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.