'We could hack the Queen's medical records if we wanted'

Filed Under: Data loss, Featured, Law & order, Malware, Privacy

It's a story which has the potential to make the scandal over the hacking of celebrities' mobile phone voicemails seem like small potatoes.

BBC Radio 4 has broadcast a documentary claiming that computer hackers were used by the British press to spy on politicians and the military.

According to the programme, the illicit mining of confidential information was said to be rife at one detective agency, which allegedly bragged of their ability to gain access to private medical records, tax records, pension information and so forth.

"They boasted 'we could get the Queen's medical records if we needed it'".

BBC Radio 4's The Report

Undercover investigations

In "The Report", BBC reporter Jane Dodge spoke to a man who had unusual visibility on the inner workings of a private investigations agency used by national newspapers.

For 10 years, former police officer Joe Poulton (not his real name) went undercover as a 'chis' (covert human intelligence source) at a firm called Southern Investigations. His job was to gather information for the police about the firm, and its owner Jonathan Rees.

Jonathan ReesPoulton wasn't there to gather evidence about computer hacking - but instead gathering intelligence regarding a possible connection between Rees and the murder of Daniel Morgan in 1987. Rees was charged with the murder but the case against him collapsed in March 2011.

What's of interest to us, of course, are the unrelated claims of computer hacking. Because Joe Poulton told the BBC about the lengths the detective agency were prepared to go to get a story.

Rather than doing background checks for newspapers investigating stories, the firm is said to have discovered that there were rich pickings to be made from taking a story to a newspaper instead.

In Poulton's opinion, such a relationship works well for newspapers as it allows them to distance themselves themselves from the (possibly illegal) way in which information has been gathered.

Spyware Trojan horses

Poulton told the BBC documentary that Southern Investigations commissioned computer hackers in their thirst for information they might be able to sell to newspapers. Some of the hackers were said to have learnt the tricks of the trade while working for army intelligence.

A typical attack would involve a Trojan horse (dubbed an "eblaster trojan attack") that could capture keystrokes and allow a remote hacker to see what was happening on a compromised computer. In this way, all emails and attached documents could be easily read.

The Northern Ireland connection

The documentary spoke to some possible victims of just such a Trojan attack: Ian Hurst, a former British army intelligence officer who handled IRA informers in Northern Ireland, and Jane Winter of British-Irish Rights Watch.

Hurst believes that Jonathan Rees hired a hacker to spy on his computer in 2006. According to the former army officer, journalists wanted to discover the new address of a man using the codename "Stakeknife", an IRA informant who had fled after his name was made public.

Meanwhile, Jane Winter believes that sensitive information accessed on her hacked computer could have potentially put people's lives at risk.

Peter HainThese alleged hacks took place in 2006 - a tense political time for Northern Ireland.

Recently it has emerged that email accounts belonging to the then government minister for Northern Ireland may also have been hacked.

Peter Hain, who served as Secretary of State for Northern Ireland between 2005-2007, has been told by Scotland Yard's "Operation Tuleta" team that computers belonging to him, containing sensitive intelligence material, may have been compromised.

Although all of the victims uncovered by the BBC investigation have a Northern Ireland connection, it is easy to imagine that the scale of the problem was actually much wider.

Hacking computers - but for who?

The obvious question has to be, if the claims that Southern Investigations hired hackers are true, who was the information being gathered for?

News of the WorldOn the BBC documentary, Joe Poulton names former News of the World executive Alex Marunchak as one of the firm's regular customers.

Marunchak has denied any wrongdoing, saying he had never instructed any third party to gather private information through illegal means.

In addition, Jonathan Rees, the owner of Southern Investigations owner, denies ever selling or providing information obtained through illegal methods.

Ironically, Joe Poulton also believes his own computer was hacked and his communications spied upon - an incident that resulted in him blowing his cover in 2006, and forced him to abandon his role gathering information for the police.

Poulton claims that hackers would have been able to remove intelligence documents from his computer - including debriefs with his handlers.

Did the police know about all this hacking?

According to the BBC, the police have known about the problem of rogue private investigations firms hacking into computers for some time. A confidential report, seen by the BBC, was sent to the Home Office by the Serious Organised Crime Agency (SOCA) in 2008, detailing the criminal activities of such firms and the need for proper regulation of the industry.

The report describes the "eblaster Trojan attack" and even gives a price list for hacking different types of device:

Hacking phones/voicemail £7000 per month
Hacking computers £7000 per month

Of course, if the authorities have known about these activities for some years - why has it taken so long for a proper investigation of the hacking allegations to begin?

Operation Tuleta has an important job to do - not only in uncovering the truth about computer hacking, but also improving the reputation of a Metropolitan Police shaken by the repercussions of the phone hacking scandal.

For more information, listen to the BBC Radio Four programme: "The Report: Computer hacking".

, , , , , , , , , , , ,

You might like

8 Responses to 'We could hack the Queen's medical records if we wanted'

  1. Robert Gracie · 858 days ago

    You just dont do such a thing as hack anything to do with the British Royal Family your just asking for trouble there, its the golden rule you just do not do such a thing as hack into anything to deal with the British Royal Family and if they catch you, you will be spending some time at the her majesty's pleasure in a prison for a VERY VERY long time that is if you are tracked and traced and found out, no diplomatic immunity or not your going to face time for it, thats what I think about it

    • Fred Sagen · 855 days ago

      You forget one minor point, Robert.

      Her Majesty is Commander in Chief of all the armed forces along with many other institutions and UK-born natives of Britain are her subjects as are commonwealth natives.

      If you displease Her Majesty, there is a significant chance that you may never be heard of again.

      No trial. No prison time. No more you.

    • 4caster · 855 days ago

      Robert, and Fred:
      In which kingdom do you think we live? Saudi Arabia, or Thailand?
      What happened to the hackers who recorded the Princess of Wales's telephone calls? Or the conspiracy theorists who tried to implicate the Duke of Edinburgh in her fatal car crash? Or Michael Fagan, the nutter who gained access to the Queen's bedroom, whilst her armed police security officer was walking the corgis? Sweet Fanny Adams, that's what.
      And what hapenned to the murderer of WPC Yvonne Fletcher outside the Iranian Embassy? He or she claimed diplomatic immunity and was escorted out of the country via Heathrow Airport.
      We all deserve equal protection from hackers, whether we are rich and famous, or down and out. The police are far too laid back, and even collaborated with the News of the World hackers!

      • Fred Sagen · 855 days ago

        I agree with you, 4caster, that we all deserve equal protection.

        However, my point that it is in Her Majesty's power and is her prerogative to exercise her constitutional rights, still stands.

        The facts of the incidents that you refer to as examples simply indicate that Her Majesty is also 'far too laid back' and prefers to allow such incidents to be dealt with through the courts at public expense.

        Do not forget that the charge of Treason still carries the death penalty and that certain actions by certain individuals in this matter of hacking could be interpreted as treasonable.

        I doubt that it would be in the public interest nor in the Monarchy's to have an expensive public trial for Treason but I would not be surprised if, in the future, certain individuals suffer unfortunate accidents.

  2. jnbrwn · 857 days ago

    i didn't think they were going to get MetPol in the story. the police were there the entire time. i expect PIs to make an unsavory living, not the two "i quit" heads of police and their minions.

  3. Gavin · 855 days ago

    As we see over and over and over again, it's incredibly distasteful what people (and by extension, institutions) will do for monetary gain. And everyone plays a careful game of distancing themlves from overt illegal activity just enough to be able to say, "I didn't ask anyone to break the law."

    Where is the anti-corruption body that can be brought to bear on such things? Why is there no meaningful public outcry against such practices? Sadly, as long as people want to keep wasting their money on trashy rags akin to News of the World, and as long as they care more about what may or may not be happening with famous peoole they don't know more than with their own families, such underhanded practices will continue largely unabated.

  4. Gavin · 855 days ago

    That, of course, is not a British problem. It's a general flaw of the human condition. So this scandal is no surprise to me, and I am quite sure that such practices are way more rife than even this article suggests. All we can hope is that when news like this breaks these poisonous activities will abate for a while.

    I suppose this highlights the importance of computer security in the eyes of the public, if there's a silver lining anywhere! Merry Christmas, fellow upstanding professionals!

  5. goggzilla · 590 days ago

    "Poulton" ought to have quit whilst ahead. His name and address are now in the public domain, do a bit of Googling or e-mail me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.