(In)Secure Digest: theft of national secrets, a rogue VPN, and a fine for security guards' curiosity
29.06.2023Back to blog list
What happened: The Sorgu Paneli service, designed to provide access to personal information of Turkish citizens, was targeted by attackers.
How it happened: The organization Free Web Turkey, known for their work against online censorship, issued an official statement revealing the exposure of personal data belonging to millions of Turkish citizens. This service, known as the "query panel," offered free access to a wide range of personal information, including names, identification numbers, addresses, and phone numbers of residents in Turkey. Notably, the database also contained data of foreign individuals registered in the electronic system. While initial use of the website was free (resulting in over 5,000 registered users at the time of discovery), a paid subscription allowed users to access more comprehensive information. The Media and Law Studies Association, a nonprofit organization and one of Free Web Turkey's founders, pledged to take legal action against both the creators of the website and the authorities responsible for safeguarding the information. However, it is important to note that there is no concrete evidence supporting claims that data from Turkey's e-government system, which serves around 85 million individuals, was compromised. The Free Web Foundation, with insights from experts experienced in similar data services, discovered that the Sorgu Paneli site provided access to data aggregated from multiple leaks. The head of the cybersecurity department in the Office of Digital Transformation, under the president's office, stated that there couldn't have been any data leakage from the e-government system, which had only 63 million registered users.
Revenge through the database
What happened: An employee who was terminated from a medical company manipulated information in their employer's database.
How it happened: In May 2022, an employee at Vituity, a company specializing in managing medical staff contracts, received a notice of their impending termination. Prior to their dismissal, the employee took proactive measures by changing the password to a colleague's account, ensuring continued access to Vituity's systems after their own account was deactivated. In September 2022, the former employee exploited this loophole and remotely accessed the company's system. They altered the password for another employee's account and made modifications to the personnel database. The vindictive individual also manipulated the data of thousands of current and former employees, substituting disguised information for the actual details. By the end of May, the perpetrator was apprehended and now faces potential penalties including up to 10 years of imprisonment, a $250,000 fine, and restitution for unauthorized computer access.
Playing the role of an extortionist
What happened: A British information security specialist pretended to be a hacker in order to blackmail his employer.
How it happened: In 2018, a ransomware attack targeted a company in Oxford. Following the incident, the attackers contacted the company's management and demanded a ransom. Seizing the opportunity, the company's information security analyst, Ashley Lyles, who had been actively involved in internal investigations of such incidents, gained access to the board members' correspondence. Lyles altered the content of the original email from the extortionists and changed the provided address for the ransom payment. He also created an email address that closely resembled the attackers' and engaged in communication with the company's management, demanding the transfer of funds. However, Lyles did not receive the ransom. The company discovered unauthorized access to email accounts and traced it back to Ashley Lyles' home address. In an attempt to hide his involvement, the desperate blackmailer deleted all data from his devices a few days before his arrest. However, the police were able to recover information that served as direct evidence of his crime. Despite denying involvement for nearly five years, Lyles pleaded guilty in May of this year, and the court is scheduled to announce the final verdict in July. Under British law, unauthorized computer access is punishable by up to two years in prison, while blackmail can lead to up to 14 years of imprisonment.
Under the Tesla hood
What happened: An internal leak from Tesla led to an investigation into issues within the company.
How it happened: German newspaper Handelsblatt released an investigation into problems at Tesla based on 100 GB of data obtained from whistleblowers within the electric car manufacturer. The leak consists of over 23,000 files spanning from 2015 to March 2022, including complaints from drivers regarding car issues and a technical breakdown of those complaints. The documents also contained sensitive information such as employee salaries, customer banking details, trade secrets, and even personal details of company owner Elon Musk. The journalists spent six months verifying the information and focused on the safety concerns surrounding Tesla's electric cars, as evidenced by the numerous complaints. The investigation was published with the headline, "My Autopilot Almost Killed Me." However, it also raises serious questions about the company's data handling practices, as insiders were able to access files outside of their authorized areas without significant difficulty. Both German and Dutch regulators expressed interest in the incident. Under GDPR regulations, the leak could potentially subject Tesla to a fine of up to $3.3 billion.
The Intellectual Property Heist
What happened: A former high-ranking Samsung executive has been accused of stealing valuable information regarding chip production.
How it happened: According to the prosecutor's office, a 65-year-old employee of the Korean microelectronics manufacturer illicitly acquired confidential information between 2018 and 2019. The intention behind this act was to utilize the stolen data in constructing a replica of Samsung's memory chip production facility just a short distance away from the original factory. The stolen information encompassed essential details including facility design data and the layout of equipment across the premises. It is important to note that under South Korean law, information pertaining to the production of memory chips measuring 30 nanometers or smaller is deemed a key national technology, warranting enhanced protection. The prosecution has estimated that the data theft has resulted in damages amounting to no less than $233 million. The accused top executive vehemently denies any involvement in the theft of these trade secrets.
VPN with no secrets
What happened: A researcher uncovered a database containing over 360 million customer activity records for a widely used free VPN service.
How it happened: A cybersecurity researcher stumbled upon a publicly accessible 133 GB database. The majority of the compromised records were linked to the popular free VPN app called SuperVPN. The leaked data included sensitive information such as users' email addresses, source IP addresses, geolocation data, server information, and supposedly confidential keys, unique user numbers, and UUIDs. Furthermore, the leak exposed details about users' device models, refund requests (likely after the expiration of the free usage period), and links to visited pages. The researcher reported the findings to various addresses associated with the app but did not receive a response. However, soon after, the database was no longer available to the public.
Inquisitive Security Guards
What happened: Yakima City Hospital was penalized with a $240,000 fine due to security guards accessing electronic patient data without authorization.
How It Happened: In April 2017, Yakima City Hospital informed 419 emergency department patients that their medical data had been viewed by employees without proper permission. From October 2016 to January 2017, these employees accessed patient records despite it not being within their job responsibilities. The incident was uncovered during an internal inspection, leading to the employees being denied further access and an investigation initiated by the organization. Preliminary findings suggested that the individuals involved had no malicious intentions and may have viewed the data out of curiosity or boredom. Cyber experts involved in the investigation found no evidence supporting the sale of patient information on the black market. In 2018, the hospital reported the incident to the U.S. Department of Health and Human Services' Office for Civil Rights. On June 15, 2023, a settlement agreement was announced between the agency and the hospital. It was revealed that the incident was caused by 23 emergency room guards who had been reviewing patient records. The unauthorized access they obtained included sensitive details such as names, dates of birth, medical record numbers, addresses, treatment information, and insurance information. As part of the settlement, the hospital agreed to pay a $240,000 fine and implement measures to adhere to HIPPA regulations. These measures include conducting a health information risk assessment, providing training to employees, and evaluating their associations with vendors and contractors. Instances like these are not uncommon within the U.S. healthcare sector. For example, in 2017, two employees of an operator managing six hospitals in Florida were fined $5.5 million for unauthorized access to patient data.
Cautionary AI Mishap in Legal Circles
What happened: A U.S. attorney faces consequences for quoting non-existent court cases generated by an AI chatbot.
How it happened: During a lawsuit against Avianca, an airline passenger sued for a knee injury caused by an airplane food cart. The airline sought to dismiss the case, but the passenger's legal team submitted a 10-page argument supporting the lawsuit. In this document, Stephen Schwartz from Levidow, Levidow & Oberman law firm included references to legal precedents that were fabricated and never occurred. The deception came to light when the airline's lawyers could not find any evidence of the court cases cited in the argument. It was revealed that out of the 10 cases, six were entirely fictional. The law firm later clarified that the employee responsible for drafting the argument had limited access to legal research and sought assistance from a chatbot named ChatGPT. Unfamiliar with the technology, they didn't consider the possibility of AI generating fictitious facts. In fact, Schwartz even double-checked with ChatGPT for the authenticity of the precedents, receiving affirmations that they existed. While admitting to this monumental mistake, Schwartz insisted it was unintentional and not an attempt to mislead anyone involved in the litigation. During a special hearing, Schwartz's defense requested leniency for the error. On June 22, the judge imposed sanctions on Schwartz and his colleague, who also signed the document containing the fabricated precedents. Both were fined $5,000 and instructed to inform the respective judges who were attributed with the AI-generated opinions. This incident serves as a cautionary tale about the potential pitfalls of haphazardly employing AI chatbots in the legal profession. It is not the first instance where the legal system has intersected with artificial intelligence. In a separate incident in China, a man was detained for allegedly spreading false train derailment news created by an AI system on social media.