In our February (In)Secure Digest, you will find the most striking and large-scale information security incidents.

Left without saying “goodbye”

What happened: The British Museum has closed some exhibitions after an attack by a former employee of an IT contractor.

How it happened: In January, London police received a call that someone had broken into the British Museum and “caused damage to its IT and security systems.” The intruder was arrested on the spot, The Guardian reported.

The attack was carried out by a recently fired employee of the museum's IT service, who was hired as a contractor. He intentionally disabled some of the systems, including the ticketing platform. As a result, some exhibitions were unavailable. After the incident, a banner temporarily appeared on the museum's website saying "The museum is open, but due to problems with the IT infrastructure, some galleries are temporarily unavailable."

This is not the first time that the British Museum has suffered losses due to its staff. Recall that in 2023, the museum filed a lawsuit against Peter John Higgs, curator of Greek collections. Peter worked at the museum for almost 30 years, but in 2016 he started selling exhibits on eBay: jewellery and precious stones from Ancient Rome. Their total value is tens of millions of pounds. Peter was caught putting up for sale items that were described in detail in the museum's digital catalogs. Although the man used a pseudonym, his Paypal account for receiving payments was linked to a social network where he published posts under his real name.

Guilty without fault

What happened: Hackers tricked employees into assisting them to hack the Bank of Uganda.

How it happened: In November 2024, cybercriminals hacked the Central Bank of Uganda and transferred 62 billion Ugandan shillings ($16.8 million) from its accounts. The incident was confirmed by Uganda's finance minister.

After the cyberattack, African media outlets speculated that insiders were involved in the hack. This was recently confirmed. Some of the Finance Ministry employees allegedly unintentionally helped cybercriminals make payments to the accounts they needed. However, the Ugandan parliament was not convinced by the version that the employees were victims of manipulation. The parliamentarians called their actions “clearly criminal” and sent the investigation details to law enforcement to finally get to the bottom of the truth.

DeepLeak

What happened: DeepSeek developers made a rookie mistake.

How it happened: On January 29, researchers from Wiz Research reported that they had found an exposed database of the company DeepSeek. It contained without any protection more than a million rows of user chat histories, API keys, server metadata, and other sensitive information.

Experts analysed DeepSeek's public domains and identified about 30 externally accessible subdomains, but found nothing inside that could present a loophole for attackers (chatbot interface, service status page and API documentation). The researchers then expanded the search area and found open ports 8123 and 9000 on several servers. The ports turned out to be associated with the open-source ClickHouse DBMS. Using the DBMS's HTTP interface, the researchers executed the SHOW TABLES SQL query and saw a list of available tables. One of them caught their attention: log_stream. The table contained critical data, such as log timestamps, API endpoint names, open-text user chats, various metadata, and information about DeepSeek services.

Wiz Research contacted the neural network developers and they promptly took action – now the database is inaccessible from the Internet. However, the incident damaged DeepSeek's reputation.

It’s to late to apologize

What happened: Apple ordered the insider to apologize for the leaks.

How it happened: Back in March 2024, Apple filed a lawsuit against its former engineer Andrew Oda. The specialist leaked information to the media about Apple's corporate culture, planned software releases, and devices. According to the tech giant, the engineer spoke with journalists of the Wall Street Journal (WSJ) and Information in the Signal messenger using a corporate iPhone. As a result, journalists regularly published articles with insights from the “inner kitchen” of Apple.

Apple and Ode recently reached a settlement. The terms of the settlement were not disclosed, but apparently one of them was a public apology from the former employee. Ode published a post in which he admitted that during his eight years at Apple, he had access to various confidential information, including internal data on unreleased devices and features. He called the leak a profound and costly mistake that destroyed relationships with colleagues and caused irreparable damage to his career.

If it works, don't touch it

What happened: Elon Musk exposed a 'grand scheme' of U.S. Welfare fraud. Social Services didn't accept the allegations.

How it happened: On February 17, Elon Musk reported on his social network that the databases of recipients of government benefits include more Americans than the total population of the country. Among them are 8 million people over 120 years old, more than 500 thousand over 150, and even people over 200 and 300 years old. This raises suspicions that “dead souls” were used for fictitious calculation of social benefits.

After Musk's message, the media reported that "long-livers" in the database of the US Social Security Administration (SSA) appear because their information system is written in an old programming language - COBOL.

COBOL uses May 20, 1875, as a starting point. That is, if there is no date of birth in the card of the recipient of state benefits or some error occurs, the system will automatically substitute 1875. This explains the presence of a large number of people of the same age in the database.

The SSA also justifies the remaining mysteries by the peculiarities of its systems. In 2015, the Office of Inspector General conducted an audit of the SSA and found that the service’s information system left the “death” field blank for 6.5 million people whose age exceeded the “maximum reasonable life expectancy.” This opened up opportunities for fraud. After the audit, the SSA agreed to implement a mechanism to stop payments to people over 115 and to consider automation options to quickly add data to the “death” column. However, after a repeat audit in 2023, it became clear that the problem had not gone away. The SSA information system had become even more incorrect: 18.9 million people born in 1920 or earlier had no information in the “death” column.

SSA has refused to address the issue of incorrect data for several reasons. First, because the agency doesn’t consider the situation a problem: most records with incorrect death information concern people who are not receiving payments, thanks to a mechanism implemented in 2015. But “correcting records for people who are not beneficiaries would divert resources from administering and managing programs.”

Second, SSA concluded that updating death information based on OIG recommendations “carries a significant risk of introducing incorrect information.” Implementation would require significant resources while providing “limited benefit” (if any) to information systems administration, the agency said.