Criminals used the personal data of 100,000 civil servants that was swiped in early 2010 in an attack on HMRC around the same time, The Register has discovered. Now, almost three years later, the government is still scrabbling around trying to work out whodunnit... and only recently 'fessed up to the individuals concerned that their data had been snaffled.
Just last month, the Civil Service Sports Council informed civil servants who signed up to access football fields and gyms through the council that their personal details had been slurped. Now it has emerged that their data was used as ammunition in a broadside against the tax collectors - a previously unknown and unreported attack.
It is understood that no "individual fraud" was committed, but the data could theoretically have been used by crims to draw ghost benefits or even ghost salaries from the government department. Nevertheless, until recently, none of the targets were informed that their data had been compromised.
Leaky database was juicy target
The three-year-old attack came to light a few weeks ago when the Sports Council revealed to its 100,000+ members that their personal data had been stolen by hackers some time before February 2010.
A leaky database at the Civil Service Sports Council gave the crims the opportunity to steal the names, addresses, dates of birth and national insurance numbers of the entire sports-playing members. And they did. Because the database was unencrypted and all information was logged together, a simple SQL injection was all it would have taken to crack the database open and filch the details.
So far so standard. No inside knowledge of the civil service's sports club was required either: a simple crawl and probe bot - a programme that searches the web for vulnerable databases - could have picked on the shoddy data storage simply from roving around online. The size of the data trove and the fact that it contained national insurance numbers made it a particularly juicy target.
How the data could have been used to hack the government
Then it gets more complicated. The Sports Council says there is “no evidence” that the data was used to attempt individual fraud, but does say it was used in an attempt to defraud central government.
That doesn’t stack up for Trend Micro Security expert Rik Ferguson, who makes a comparison to the HMRC data loss of 2007 when the personal details of 25 million recipients of child benefits were lost after unencrypted CDs went astray. Then there was no suggestion that the stray data would be used against government but HMRC nevertheless had to warn all 25 million recipients that it might be used against them in personal fraud attacks.
“It was exactly the same data that was in Sports Council database - names, addresses, national insurance numbers,” says Ferguson, “so I don’t know why they suspected it would be used in a different area this time.”
The data was used to perpetrate an attack on government according to the Sports Council, and an HMRC spokesperson has confirmed to The Register that the tax-collecting and benefit-dealing ministry had suffered an attack and was investigating it.
HMRC has said it can’t comment on the investigation as it is ongoing: so we don’t know the nature of the attack, or whether it was successful.
We do know that it involved the personal details of the civil service sports council members, that it happened in or before February 2010, that it is subject to criminal investigation and we can surmise that it was big.
Why do we think it was big? Two reasons: first that it was significant enough for HMRC to set an internal team investigating it. Second, the fact that the internal investigators were able to trace the cracked data back to the sports club. If 15 or 30 jilted national insurance numbers were used, it would have been difficult to make a connection that led back to the Sports Council. For the investigators to track it back, the data must have been used in sufficient quantities for them to work out that the fraudulently used national insurance numbers came from a single source - the Sports Council membership list.
How exactly the data could have been used to force the system is open to speculation. A national insurance number, date of birth and address would be all you need to set up a account, and presumably to access benefits or even a salary, though doing it on a large scale would be extremely complicated. Trend Micro's Ferguson says:
That data for a single person gives you everything that you need to commit personal financial fraud, which would be fraud against a financial institution.If you have what you need for benefit fraud, then you have what you need for all financial fraud. Fraud is fraud.
A civil servant who spoke to The Register explained that National Insurance numbers are used as payroll identifiers in the civil service. Still, the attack mechanism must been relatively complex:
I don’t think it would be done in batches; they have software that picks up patterns of behaviour like that, so only certain individuals will have been affected.
Data will most likely be used for personal fraud
Ferguson was sceptical of the Sports Council’s assurance that the data had not and would not be used in personal fraud attacks:
If you’re the person responsible for stealing that, you’re going to be offering that up for sale in underground forums then that will be sold in small amounts. That’s another argument for why you can’t have any certainty about how the data will end up being used.
The UK's watchdog for data protection - the Information Commissioner's Office (ICO) - the public's white knight on matters of individual data privacy - was informed about the breach by the Sports Council just after it found out, on 18 February 2010, but turned over the duty of investigation to HMRC, spokesperson Greg Jones told El Reg.
Following the database ransack, the Sports Council has significantly cleaned up their database security, it says. Pressed for a statement, CSSC would only reiterate its initial statement to members: that there had been a criminal investigation into the hack, that the data had been used against government but not - to their knowledge - against individuals.
There was no evidence of any risk to individuals since the fraud concerned attempts to defraud central government rather than individuals.
The CSSC would not disclose the extra development in the investigation that meant they decided to inform all members of the breach on 25 November, two years and nine months after they found out about it. ®