For 99p, an eBay buyer got access to a West Yorkshire council's
network using a second-hand
virtual private network (VPN) server.
The server, previously used by Kirklees Council staff to allow
secure and remote connections to the council's network, was
bought on eBay for 99p by Andrew Mason from security firm Random
Storm.
When Mason plugged the Cisco device in and switched it on he was
automatically connected to the internal network of Kirklees
Council.
Although the council said it was "concerned" about the breach,
Kirklees council told the BBC that it was "confident" its data and
systems had not been compromised as they were protected by
"multiple levels of security".
On powering up the hardware, Mason had expected the device to
need network settings to be input, but, without prompting, it
connected to the last place it was used, allowing Mason to
potentially explore the council's network.
The BBC says the IP address used to connect to Kirklees was
owned by Capgemini, which had previously managed the council's
network, before the council took the work back in-house in
2005.
The council is believed to have disposed of the hardware through
a hardware recycling firm, without first restoring the factory
settings of the device to wipe previous connection data.
Mason told the BBC the last change to the connection details of
the device was made in November 2006, well after Capgemini's
involvement with the network.
Richard Farnworth, general manager for enterprise solutions at
NEC, told Computer Weekly, "Protecting networking equipment and
network topology is just as important as preventing data security
breaches involving laptops, CDs and memory sticks.
"As so much dependence is placed upon connectivity in the
'networked society' we belong to, it is imperative that both public
sector organisations and commercial businesses take special care
when disposing of any IT products. It will not come as a surprise
that many 'black box' devices hold configuration information within
them."