Yesterday, the AP broke a disturbing story about a hacktivist who made public the personal data of almost 50 million Turkish citizens, lifting the information from a government database. The hacker also posted a taunting message to the Turkish government, referring to the agency’s sloppy data protections and a hardcoded password that allowed the entire unencrypted database to be easily picked up from government servers. “Bit shifting is not encryption, “ the message concluded
This breach is twice the size of the US Office of Personnel Management (OPM) breach, leading us to believe that no nation is safe – and no government agency seems to be learning anything from these ongoing attacks. Here to comment on this news is Daren Glenister, CTO of Intralinks, Craig Kensek, cybersecurity expert with Lastline and Brad Bussie, director of product management, STEALTHbits Technologies.
Daren Glenister, CTO of Intralinks:
“The number one priority of any government is to protect its citizens. That includes taking every precaution to prevent their private information from falling into the wrong hands. Breaches like this underscore why more nations are reforming their data privacy laws and holding those who process, store and transfer sensitive data more accountable – like GDPR in Europe. ‘Good enough’ security tools and practices leaves information vulnerable. High-value content and personal data should have more stringent security measures applied that protect it at all times – in motion and at rest.”
Craig Kensek, cybersecurity expert, Lastline:
“Turkey’s national ID number system is used to enable access to government services like taxation, voting, education, social security, health care, and military recruitment. If this were to occur to a US firm, part of the disaster control would include revamping the company’s security system, including potentially encrypting data. Credit watch services would be given to individuals for one or two years. And an executive would take the sword.
Thefts like these have cost IT directors (and higher) and other executives their jobs. In the case of Target Stores in 2013, where over 100 million records, it cost the store over $61 million to address the beach. Target CEO, President and Chairman Gregg Steinhafel resigned in 2014. As of March 22, domestically, the Identity Theft Resource Center had reported 177 breaches with 4.6 million records exposed. For them, breach incidents involving only emails, user names, and/or passwords, the number of records is not included in their totals.”
Brad Bussie, director of product management, STEALTHbits Technologies:
“With details still emerging around the hacktivist attack and how it was carried out, we will need to speculate how the leak occurred. Let’s start by looking at the volume of data. 6.6GB of data isn’t fast or easy to transmit over the internet in Turkey even under the best conditions. Even rudimentary web filtering can detect and block the egress of specific file types as well as terminate transmissions of data after a given time or size. This leads us to the next possibility.
Was it an inside job? Insider Threat is rapidly tearing down the old perimeter defenses organizations have felt safe behind for years. Depending on data controls within the Turkish government, a simple USB stick could have been all that was required to capture and then leak the data. Given the claim that the leak was politically motivated it will be interesting to see how the attack was carried out. What is puzzling is how anyone could justify the leak of over 49 million citizens to merely target a single political regime. Would it not have made more sense to leak only the personal information of those you were attempting to damage? It sounds like something else is going on and more details will emerge in the coming days.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.