A breach of web servers at US-based global intelligence firm Stratfor over Christmas has put hundreds of UK, US and NATO officials at risk, a cyber-security expert has revealed.
The huge database of e-mail addresses and passwords stolen by members of the AntiSec joint venture between hacktivist group Anonymous and off-shoot LulzSec, includes 221 UK military officials, John Bumgarner of the US Cyber Consequences Unit told The Guardian.
The database included the user IDs - mostly e-mail addresses - and encrypted passwords of about 850,000 individuals who had subscribed to Stratfor's website and the credit card numbers and addresses of 75,000 paying subscribers, including 462 in the UK.
Bumgarner’s analysis of the stolen data revealed that it also included the personal data of several UK civil servants, 242 Nato staff members, 343 US military personnel deployed in Afghanistan and Iraq, as well as former US vice-president Dan Quayle and former US secretary of state Henry Kissinger.
Among those in the UK affected by the breach, Bumgarner was able to identify seven officials in the Cabinet Office, 45 Foreign Office officials, 14 from the Home Office, 67 Scotland Yard and other police officials, two employees with the Royal household, and 23 people listed who work in the Houses of Parliament.
“At present, there is no indication of any threat to UK government systems. Advice and guidance on such threats is issued to government departments through the Government Computer Emergency Response Team,” a government spokesman said in a statement.
But security experts have warned that officials who did not take extra precautions in securing passwords through dual authentication or other protection systems could find e-mail and other databases they use being compromised.
Any foreign intelligence service targeting the UK, they said, could find these e-mails useful in identifying individuals connected to sensitive government activities.
Stratfor has taken down its website and says it is working to prevent any further breaches, but the consultancy firm could have avoided the breach easily and inexpensively simply by isolating and encrypting the data, says Graeme Batsman, director of London-based security firm Data Defender.
Web servers should contain only data that is on the website and isolated from the main network, he said, then if it is breached the only data which can be stolen is publicly visible data and attackers are unable to get to the organisation’s internal servers.
“We live in the age of info-leaks, with modern technology it is possible to send huge amounts of data around the world in literally less than a second, therefore sensitive data itself should be encrypted on a document-by-document basis to stop external hackers and even other internal company departments viewing or pinching data, ” said Batsman.