Council’s network exposed after server sold on eBay

For 99p, an eBay buyer got access to a West Yorkshire council's network using a second-hand virtual private network (VPN) server.

For 99p, an eBay buyer got access to a West Yorkshire council's network using a second-hand virtual private network (VPN) server.

The server, previously used by Kirklees Council staff to allow secure and remote connections to the council's network, was bought on eBay for 99p by Andrew Mason from security firm Random Storm.

When Mason plugged the Cisco device in and switched it on he was automatically connected to the internal network of Kirklees Council.

Although the council said it was "concerned" about the breach, Kirklees council told the BBC that it was "confident" its data and systems had not been compromised as they were protected by "multiple levels of security".

On powering up the hardware, Mason had expected the device to need network settings to be input, but, without prompting, it connected to the last place it was used, allowing Mason to potentially explore the council's network.

The BBC says the IP address used to connect to Kirklees was owned by Capgemini, which had previously managed the council's network, before the council took the work back in-house in 2005.

The council is believed to have disposed of the hardware through a hardware recycling firm, without first restoring the factory settings of the device to wipe previous connection data.

Mason told the BBC the last change to the connection details of the device was made in November 2006, well after Capgemini's involvement with the network.

Richard Farnworth, general manager for enterprise solutions at NEC, told Computer Weekly, "Protecting networking equipment and network topology is just as important as preventing data security breaches involving laptops, CDs and memory sticks.

"As so much dependence is placed upon connectivity in the 'networked society' we belong to, it is imperative that both public sector organisations and commercial businesses take special care when disposing of any IT products. It will not come as a surprise that many 'black box' devices hold configuration information within them."

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.