Anonymous hacktivists steal AAPT customer data in data retention protest

Filed Under: Data loss, Law & order, Privacy

Internet security and privacy are enjoying a spirited public airing in Australia today.

The wires are abuzz with claims that hackers stole 40GB of data from AAPT, an Aussie ISP, in protest against proposed new surveillance and data retention laws.

Hacktivism isn't a new phenomenon, and it makes a handy excuse for outlaw hackers who want to flex their muscles whilst distancing themselves from common-or-garden cybercriminality.

Collecting data in large amounts - whether you're driving a Google StreetView car, operating a huge gaming network, or running a surveillance operation - comes with a huge commercial risk.

Sadly, that risk is often bigger for the individuals whose data is being collected than for the companies collecting it. (If you get fined for losing my data, you can recoup your loss by working smarter in the future. But I can't get a new birthday, and my mum can't get a new maiden name.)

A formal statement purporting to be from the CEO of AAPT has appeared on PasteBin:

July 26 2012 - STATEMENT FROM DAVID YUILE, CEO AAPT

IT WAS BROUGHT TO OUR ATTENTION BY OUR SERVICE PROVIDER, MELBOURNE IT, AT APPROXIMATELY 9.30PM LAST NIGHT THAT THERE HAD BEEN A SECURITY INCIDENT AND UNAUTHORISED ACCESS TO SOME AAPT BUSINESS CUSTOMER DATA STORED ON SERVERS AT MELBOURNE IT.

AAPT IMMEDIATELY INSTRUCTED MELBOURNE IT TO SHUT DOWN THE SERVERS WHEN WE WERE NOTIFIED OF THE INCIDENT. PRELIMINARY FINDINGS SUGGEST IT WAS TWO FILES THAT WERE COMPROMISED AND THE DATA IS HISTORIC, WITH LIMITED PERSONAL CUSTOMER INFORMATION. FURTHER, THE SERVERS ON WHICH THE FILES WERE STORED HAVE NOT BEEN USED OR CONNECTED TO AAPT FOR AT LEAST 12 MONTHS.

I'm not sure how much comfort we should feel to know that the "data is historic". After all, historic data is, by definition, significant and important.

Dictionary humour aside, surely there's less justification for losing last year's now-redundant data than for having your latest database hacked?

Losing data which didn't need to be online at all - data which you weren't actually using, and hadn't used for some time - seems even more careless than finding that your currently-active online database system has a command injection flaw.

(Note that I'm not saying that losing current data is acceptable. But it is easier to understand why it might happen.)

If you're going to leave data lying around off-site - listen up, anyone who's ever used any sort of cloud service! - then be sure to encrypt it first.

That way, if it falls into the wrong hands, it's just so much shredded cabbage.

As for the hackers, their behaviour can't be condoned either.

So far they've got at least some popular support - the Australian editor at The Next Web, for example, opined that "[g]iven Australia’s less-than-stellar record with sane Internet security policies in recent years, we can only hope that attacks like these are not in vain and prove to lawmakers that their efforts will be ineffective."

Nevertheless, the hackers have not only trampled on existing, purposeful, anti-breach laws to achieve their aims, but also now have possession of data they ought not. Word on the street seems to be that they plan to disclose some of it - which will just make the whole thing worse.

It certainly seems strange to protest against the risks of data retention by making yet another copy of data you think ought not to have been there in first place. Somehow, it feels a bit like deliberately picking a fight down the pub to demonstrate the problems posed by alcohol-fuelled violence.

And there you have it.

You'll have to make your own mind up on the morality of hacktivism and the propriety of surveillance and data retention.

Just remember this: when it comes to privacy, cryptography is your friend.


-

The images of shredded cabbage and the 24-hour surveillance sign are courtesy of Shutterstock.

, , , , , , ,

You might like

7 Responses to Anonymous hacktivists steal AAPT customer data in data retention protest

  1. Austin · 727 days ago

    This article kinda left out what is the data retention law that the attack is protesting. would be helpful to be able to see this piece so the reader does not have to then leave this article and read up on it on another source.

  2. internet explorer · 726 days ago

    I second Austin's comment. Seems like sloppy reporting not to at least give a quick summary of the law in question rather than what can at best only be termed a vague characterization. Still, I'm glad to have received even this much (little) information, as it makes me more aware of what's going on out there. So, please keep up the good work, just try to be a little more complete so that we get a better picture of relevant events.

  3. loving thesixties · 726 days ago

    I agree. the headline reference to data retention is what got my attention in the first place, so I felt duped not to find any info on it.

  4. Paul Ducklin · 725 days ago

    Apologies that you feel "duped" (though a quick right click on the link I provided would probably have been more that enough to tell you what you needed to know) - the main thrust of the article was _that the data got stolen at all_, and how/why that came about.

    I linked to third-party articles simply because I didn't want to focus on that part of the issue here, since it's Aussie-specific. (Whenever I write about Aussie-only stuff, I get blasted by other readers for being parochial, and the Nak Sec editors don't like that.)

    However, since you asked, I'll quote from the article to which I linked above:

    "Any device connected to the internet such as a computer, smartphone or tablet could soon have its web history logged and retained for up to two years by telecommunications companies for law enforcement purposes under reforms being proposed by the [Labor-led government of Prime Minister Julia] Gillard.."

    [Source: http://www.mailtimes.com.au/news/national/nationa...

    Not sure I'd call that sort of legalistic change a "reform", and...

    ...now I feel a privacy-surveillance-and-data-collection diatribe coming on. Now you can see why I skirted the details of the law and concentrated on the data leak and the crypto :-)

  5. loving thesixties · 725 days ago

    Thanks for the reply. Australia may be "down under," but these days it seems like such proposals come up over the equator just as easily as they do from around the Congressional corner or through the state legislative transom (my apologies to that old cigarette filter commercial theme of "over, under, around and through"). In other words, it's not so much what the Aussies are doing now as it is what someone here in the States may be trying to do next. It's always better to be prepared for something before it arrives than to be caught unaware. And it's almost always easier to prevent something than to undo it after it's done.

  6. internet explorer · 725 days ago

    I don't know about your part of the world, but here in the U.S., we left click on a link to get to the content behind it. Also, it sure would have been nice if you had given a one-sentence or even one-paragraph summation of the four-minute plus TV footage and/or the three-page Mail-Times article so readers would not have to get lost in the details of those reports in order to understand the gist of what is going on there. Sorry to hear about you having to keep an eye over your shoulder, so to speak; silly me, I had always thought that Nak Sec was just as interested in such events no matter where they were taking place. Besides, the ones literally being parochial are those who are not interested in what's happening elsewhere.

    • Brady Williams · 724 days ago

      I live here in the good ole US of A and I right click 99% of all links so I can read them in a new tab instead of having to use the back key to return to the original article.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog