Following the hacking of the Italian Democratic Party of Firenza, Laurence Pitt, Director of Security Strategy at Juniper Networks commented below.
Laurence Pitt, Director of Security Strategy at Juniper Networks:
“On the night of Sunday 4th February 2018, the hacker group AnonPlus took responsibility for breaking into servers owned by the Democratic Party of Firenza in Italy. The result of this breach appears to have been the online publication of a list containing names, addresses, telephone numbers and other personally identifiable information related to 2,653 party members. The data is not new, it is dated from 2015, but for anyone who has not moved or changed telephone numbers in the last three years, it is effectively current.
“From external analysis it is being reported that the attack was potentially carried out using an SQL injection attack – a common method where malicious code is injected into an online form that allows the hackers to gain access and modify, extract or prevent access to stored data. However, with this attack, there are a few areas that point toward a likely lack of best-practice allowing the breach to succeed – and no discovery of a zero-day attack.
“When the attack occurred, the IT team was able to see that the servers were under attack and block them, but by this time the hackers had already accessed and retrieved the PDF file with the membership data. For the Democratic Party of Florence, it is too late for preventative measures – its data has been published and the damage is done – but hopefully we can all learn from what has happened.
- A number of servers were attacked, but only the server with 2015 data – an older file – was breached. This could indicate that the vulnerability that allowed the attack was not present on all of their servers, so a patch could have fixed this. Just because data is old, or even redundant, this does not mean it loses value. Servers with accessible data must be patched and managed to the same level as servers with current data. Patching is still one of the most critical security activities organisations must undertake regularly
- Why was the stolen PDF file not encrypted? When protecting data, we have to assume that it might be stolen at some point and consider the damage that this would cause. If the file had been fully encrypted, then the data would have been useless to the hackers
“The bottom line to help protect your organization from a similar situation is this: Make sure that you have an effective patching program in place, with regular maintenance windows for software updates and security testing of those updates, and all data needs to be encrypted so that if stolen it is useless.
“Under GDPR, this breach would need to be notified to the Italian Data Protection Authority within 72 hours of awareness, resulting in a possible fine; at the very least, anyone affected will have to be notified. If the data had been encrypted and non-accessible, then although the breach would still have to be reported, the negative impact would likely be lessened.”
