Security

Leaked Guntrader firearms data file shared. Worst case scenario? Criminals plot UK gun owners' home addresses in Google Earth

Bang out of order


Updated The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.

As an exercise in amplifying a data theft to levels that endanger public safety, the latest evolution of the Guntrader database break-in is likely to become an infosec case study in how security breaches can become worse over time as stolen information is put to ever more intrusive uses.

Leaked online last week via an animal rights activist's blog, the stolen reformatted Guntrader database was explicitly advertised as being importable into Google Earth so randomers could "contact as many [owners] as you can in your area and ask them if they are involved in shooting animals."

Names, home addresses, postcodes, phone numbers, email addresses and IP addresses are included in the Google Drive-hosted CSV file – along with precise geographic coordinates for a large number of the 111,295 people listed in the breach.

The file was linked to from the activist's blog, a clearnet site hosted in Iceland, and presents a severe risk not only to British firearm and shotgun certificate holders but also anyone who moved house to one of the addresses mentioned in the leak of the stolen database, which contains data up to five years old.

The 111,000 location entries from the Guntrader DB break-in plotted on Google Earth. Click to enlarge

Firearms are attractive to criminals. Targeted robberies and burglaries to steal them, while unusual, are certainly not unknown. Police have previously issued warnings to the licensed firearms community emphasising personal safety after a spate of robberies targeting licensed firearms owners outside their homes and at rifle ranges; the Guntrader breach could lead to a spate of such crimes.

British policy on firearms ownership is that domestic homes that may contain a handful of firearms or shotguns are less likely to be targeted than the alternative of central armouries presenting a high-value target. Security measures are proportionately ramped up depending on the number and type of guns – but all firearms security begins with obscurity. This breach takes away that obscurity for about 20 per cent of the registered owners across the country.

Down to physical security now

One worried shooter who spoke to The Register said that while his details were in the stolen data, the geolocation information pointed to his parents' home and not his own. A registered firearms dealer who initially scoffed at being included "because I don't have signs outside" could be traced down to his warehouse's industrial estate; Googling his name revealed the precise unit number.

While some in the licensed firearms community who spoke to The Register expressed the hope that this latest development might go unnoticed, the horse bolted from that stable in July. Criminals plotting the Guntrader location data on a map was only a matter of time.

Guntrader has not explained why it was collecting location coordinates down to six decimal places. We have asked the company for comment. A number of law firms appear to be touting for business off the back of the data leak, though it seems unlikely any of those cases will progress into a representative action in the High Court. There is also the possibility that it goes the way of the latest attempt to sue Dixons Carphone over its 2018 data leak once it gets there.

It appears likely that the latest version of the Guntrader database break-in may be covered by section 58 of the Terrorism Act 2000, which makes it a crime to collate "information of a kind likely to be useful to a person committing or preparing an act of terrorism." Breaching section 58 is punishable with 15 years in prison. The South West Regional Cyber Crime Unit as well as the National Crime Agency are both said to be investigating.

The Countryside Alliance had not responded to a request for comment at the time of publication.

The Information Commissioner's Office told us: "We are aware of a potential change in the Guntrader Ltd incident and we will be making enquiries." ®

Updated to add

The British Association for Shooting and Conservation has been in touch to say: "BASC is concerned about this latest development. We have flagged those concerns to the National Crime Agency. In the meantime, we advise the shooting community to maintain vigilance around security and report any concerns to the police."

Google also told us it has removed the CSV file from Google Drive that was linked to from the activist's blog.

A National Crime Agency spokesman said: "The NCA is aware that information has been published online as a result of a recent data breach which impacted Guntrader. We are working closely with the South West Regional Cyber Crime Unit, who are leading the criminal investigation, to support the organisation and manage any risk."

Send us news
168 Comments

Online harms don’t need dangerous legislation, they need a spot of naval action

It worked on Jolly Roger, it can work on ProudWhiteGuy66373

Opinon Three things on the morning news reliably ruin breakfast for socially aware technogeeks.

Continue reading

IT outsourcing: SLAs, patches – and how uptime funk's going to get to you

Cheaper, better than running it yourself? Maybe

Feature Outsourcing generally has a bad reputation, scarred by countless failed projects in the public and private sectors and with cost cutting, rather than improved sevice delivery, seeming to drive business decisions.

It's big business: the global IT outsourcing market brought in $318.5bn (£232.5bn) in 2019, according to one report. So not every CIO can be wrong when they decide that bringing in an external technology provider is preferable to doing it themselves. Can they?

The failures can be high profile in nature, be it the Home Office's digital border sevices contract with Raytheon; IBM and WPP; Capita and the Primary Care contract; Capita and the Army recruitment services; Capita and the school bug; Capita and... we'll stop there.

Continue reading

Facebook sues scraper who sold 178 million phone numbers and user IDs

Apparently The Social NetworkTM is the only one allowed to do nasty things with users' data

Facebook has sued a Ukrainian national for allegedly harvesting and selling personal data describing 178 million of the Social NetworkTM's users – actions it says violates the service's terms of service.

The suit alleges that Alexander Alexandrovich Solonchenko created millions of virtual Android devices, each with a different phone number, and used them to deliver automated requests to Facebook systems using the Messenger app.

Over 21 months between January 2018 and September 2019, Solonchenko purportedly took advantage of Facebook Messenger's now-defunct Contact Importer feature. The feature allowed users to synchronize their phone address books and see which contacts had an account with The Social NetworkTM, presumably so they could contact them on Messenger rather than through other means.

Continue reading

Orders wrong, resellers receiving wrong items? Must be a programming error and certainly not a rushing techie

Some of those punch cards may still be lying at the bottom of a lift shaft

Who, Me? Punch cards are the order of the day in a reader confession that takes us back to an unfortunate incident with a trolley. Welcome to Who, Me?

To be fair, punch cards were on the wane at the time of our story in the early 1980s, but our reader (Regomised as "Ivor") was gainfully employed at an international manufacturer still keen on the things.

After all, if a system wasn't broken, it didn't need fixing, right?

Continue reading

Asia's 'superapps' bundle ride-share, food delivery, even financial services – and they're beating big tech

China backed the concept of tools users perceive as an extension of the OS, not just an app

Catch a ride, pay your utility bills, order your dinner, top up your insurance, chat with friends – how many apps did you need to get that lot done? In much of the world North America and Europe your answer could involve a fistful of apps, but in Asia you could do it all in one, thanks to rise of the "superapp".

Superapps are, for now, largely an Asian phenomenon, although the concept is more than a decade old. Blackberry founder Mike Lazaridis coined the term in 2010 to mean "a closed ecosystem of many apps that people would use every day because they offer such a seamless, integrated, contextualized and efficient experience".

Academic and researcher of digital business models and ecosystems at Singapore's ESSEC Business School Dr Jan Ondrus thinks a better definition for a superapp is essentially "an operating system".

Continue reading

Electronic Frontier Foundation ousts co-founder John Gilmore from its board

He's free of governance duties now, but still an emeritus member

Electronic Frontier Foundation (EFF) co-founder John Gilmore has been removed from any active role on the digital rights organisation's board but will continue to serve as emeritus member.

"Since he helped found EFF 31 years ago, John Gilmore has provided leadership and guidance on many of the most important digital rights issues we advocate for today," wrote EFF executive director Cindy Cohn.

If your instincts tell you that's the kind of prose that presages a "but", your instincts were correct.

Continue reading

Cleanup on aisle C: Tesco app back online after attack led to shopping app outages

With an average 1.27 million orders a week, many customers left hacked off

The UK's largest retailer, supermarket titan Tesco, has restored its online operations after an attack left its customers unable to order, amend, or cancel deliveries for two days.

A Tesco statement acknowledges disruption to the giant's grocery website and app, claiming "an attempt was made to interfere with our systems, which has caused problems with the search function on the site."

The gigantic grocer has also said there's no reason to believe customer data is or was at risk.

Continue reading

Here comes the blob: Asia's top 'net boffin thinks 'shapeless services' could replace the Internet

Common network services are less important when we've moved to apps hosted at the edge

What will the internet look like in the year 2071? Geoff Huston, chief scientist the regional internet registry the Asia Pacific Network Information Centre (APNIC), thinks there may not be an internet – or at least not as we know it today.

Huston's thinking is outlined in a presentation he made to a recent IBM Research event on the Future of Computer Communications Networks.

The talk opened by pondering what predictions one would have made in 1921 – a time when Huston reckoned forecasting huge growth in voice telephony would have been a logical conclusion, but faxes and digital technology would not. He then repeated the exercise with 1971 as his starting point, and concluded that predicting computers would become a consumer product would have been hard to do at a time when the dominant personal electronics product was a pocket calculator.

Continue reading

NASA sets a date to begin lunar tuning

First Artemis mission is stacked on a rocket – now for five punishing sets of tests before liftoff

NASA has set a date for the test of the technologies it hopes will see it return to the Moon and explore Mars: February 2022.

The agency on Saturday announced that its Orion spacecraft has been stacked atop the Space Launch System (SLS) rocket, and if all tests go well is expected to make an uncrewed test flight around the Moon.

The mission – the first in the Artemis program – is billed as "the first integrated test of NASA's deep space exploration systems". NASA's plan is to send the SLS into space, whereupon the Orion capsule will head for the Moon.

Continue reading

Japanese bloke collared after using AI software to uncensor smut and flogging it

Plus: Explore the limits of language models in bizarre research experiment, and more

In brief A man was detained in Japan for selling uncensored pornographic content that he had, in a way, depixelated using machine-learning tools.

Masayuki Nakamoto, 43, was said to have made about 11 million yen ($96,000) from peddling over 10,000 processed porn clips, and was formally accused of selling ten hardcore photos for 2,300 yen ($20). He pleaded guilty to violating Japan's copyright and obscenity laws, NHK reported this month.

Explicit images of genitalia are forbidden in Japan, and as such its porn is partially pixelated. Don't pretend you don't know what we're talking about. Nakamato flouted these rules by downloading smutty photos and videos, and reportedly used deepfake technology to generate fake private parts in place of the pixelation.

Continue reading

Florida man accused of breaking Mastodon's open-source license with botched social network launch

Golf enthusiast given 30 days to cough up code

A Florida man has been accused of breaking the copyleft license of Mastodon by running an online instance of the software without providing its source code as required.

And not only that, the real-estate baron and wannabe tech tycoon has been told he has a month to fall in line with the fine print or put himself potentially at risk of further action.

Mastodon is a Twitter-like microblogging service that you host yourself. Servers running this software can form a larger, decentralized social network.

Continue reading