Can Data Breaches Kill?

  /     /     /  
Publicated : 22/11/2024   Category : security


Can Data Breaches Kill?


When data is sensitive enough, its exposure has the potential to be fatal



Data breaches have long threatened the identities of individuals whose data was stolen by pilfering cybercriminals. But, in some cases, the breach of sensitive data can put far more than just the credit histories of victims at risk. In the right set of circumstances, a data breach can put peoples lives at risk.
As far as the security community knows, there has been no documented case where breached private details have proved fatal. But the recent exposure of sensitive information held by more than 70 different U.S. law enforcement agencies by Anonymous provides a perfect example of the type of information that could put a breach victims life at risk.
The group nabbed and made public the
personal information of hundreds of law enforcement officers via BitTorrent
, as well as the names and information of police informants for many of the departments hit in the attack.
Its certainly some pretty heavy-duty data that they got access to this time, very different from the typical user names and passwords that they publish, says Josh Shaul, CTO of database security firm Application Security. We dont know exactly what happened, but we know their MO. When its Anonymous and Lulzsec, its almost always simple injection to get to the inside and extract some data. A lot of those files were not stored in databases, but they very likely used SQL injection to get to a database and then used database vulnerabilities to get to the sensitive files that they then extracted in the end. I think they got to really sensitive data because that data was completely accessible.
As Shaul and several security experts acknowledged, information like the data dumped on BitTorrent by Anonymous could put peoples lives in danger. Police informants depend on their anonymity to provide confidential information to law enforcement officers, and they count on the agencies they work with to keep a tight lid on their personal details and connections to law enforcement.
Just knowing the name of a person within a secret organization or relationship can be life-threatening for them, says Mel Shakir, CTO of NitroSecurity. As organizations start looking at these incidents, theyll start to understand the implications of even employee information being stolen.
This latest Anonymous raid of public safety agencies was reportedly a retributive attack against the entire field of law enforcement for the arrest of Topiary, the Lulzsec spokesman picked up by Scotland Yard in late July. But this isnt the first time Anonymous has put law enforcement lives at risk -- in June it released information about law enforcement officers from the Arizona Department of Public Safety.
The rest of the country doesnt realize how dangerous it is here in Arizona, says Adrian Lane, security analyst for Securosis. Its a border area, and we have groups of coyotes that bring illegals over the border; its a professional enterprise run by Mexican mafia. The border agents fear for their lives because those coyotes will come after them and will kill them. These are also the officers who are going to raid the houses of drug dealers. Thats a potentially life-threatening issue.
Even law enforcement agencies themselves have been culpable of exposing people whose police involvement could put them at risk.
Last year an informant for the Sheriffs Office of Mesa County, Colorado, saw theirs name popping up on a Google search. The search engines crawler had found an unsecure FTP site on a server owned by the county that contained names, contact information, and Social Security numbers of drug informants to the agency. Somehow an IT staffer mistakenly put that data onto the FTP site from a very sensitive database file.
Incidents like this and the Anonymous attacks show that public safety organizations need to spend as much attention to cybersecurity as they do to physical security; at this point, too much information is accessible over networks to ignore the risk.
People going after information that is going to be life-threatening for others has some major legal ramifications and is going to hurt peoples lives, Shakir says. Organizations have to take more precautions, the same way that they put up secure buildings with cameras and guards. We are in the cyberworld and, with most of our lives being online, we have to make that investment. We cannot be lax anymore.
Sadly, though, this message just doesnt seem to be getting through to even those organizations that hold peoples lives in their hands.
This is the prevalent state of affairs across almost the entire universe right now in information security, Shaul says. I think if something really bad happened I wouldnt be surprised to see this go political and see Congress try to put some sort of legislation in place that makes it look like theyre doing something.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Can Data Breaches Kill?