August 22, 2014

Hackers breach externally hosted database used by UK’s Herfordshire Police

(LiveHacking.Com) – A website belonging to the UK’s Hertfordshire Police has been hacked and what appear to be login details, passwords and other details have been published online. The database for the Safer Neighbourhood Teams website, which was  externally hosted, held personal data including phone numbers and IP addresses that related to a number of officers.

In a statement given to the BBC, the Hertfordshire Constabulary said it was currently investigating the publication of information stored on a database linked to the public Safer Neighbourhoods pages of the external Constabulary website. And that the site has been temporarily disabled. “There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised. Nevertheless matters of IT security are extremely important to the Constabulary and an investigation is already under way.”

The hack seems to be have been motivated by the current plight of Wikileaks founder, Julian Assange. There has been a rise in the number of hacking attacks since the UK government said it would arrest and extradite Mr Assange if he left Ecuador’s embassy in London.  An “OpFreeAssange” banner was included with the database details that were posted online as well as a quote from the Wikileaks founder. However the hacker was also keen to point out that he wasn’t part of the infamous hacking Anonymous.

Catalin Cosoi, chief security researcher at Bitdefender, said to SC Magazine: “The unknown attacker extracted from the second breached website what appear to be police officers’ email addresses, passwords to those email accounts and a list of PINs probably employed as additional safety tools. Several user logs have also been made public, exposing a list of employee names and corresponding IPs that could be used in cyber crime operations requiring identification of a specific machine, containing a particular type of data.”

Questions are now being asked about why a Police force was using an externally hosted website. The problem with any third-party supplier is that their security practices and procedures are unknown and outside the control of the client, in this case a Police force. This attack highlights the need for anyone (including Public sector organisations) using external hosting to validate the security of the external service.