Anonymous hacktivists steal AAPT customer data in data retention protest

Anonymous hacktivists steal AAPT customer data in data retention protest

Internet security and privacy are enjoying a spirited public airing in Australia today.

The wires are abuzz with claims that hackers stole 40GB of data from AAPT, an Aussie ISP, in protest against proposed new surveillance and data retention laws.

Hacktivism isn’t a new phenomenon, and it makes a handy excuse for outlaw hackers who want to flex their muscles whilst distancing themselves from common-or-garden cybercriminality.

Collecting data in large amounts – whether you’re driving a Google StreetView car, operating a huge gaming network, or running a surveillance operation – comes with a huge commercial risk.

Sadly, that risk is often bigger for the individuals whose data is being collected than for the companies collecting it. (If you get fined for losing my data, you can recoup your loss by working smarter in the future. But I can’t get a new birthday, and my mum can’t get a new maiden name.)

A formal statement purporting to be from the CEO of AAPT has appeared on PasteBin:

July 26 2012 - STATEMENT FROM DAVID YUILE, CEO AAPT

IT WAS BROUGHT TO OUR ATTENTION BY OUR SERVICE PROVIDER, MELBOURNE IT, AT APPROXIMATELY 9.30PM LAST NIGHT THAT THERE HAD BEEN A SECURITY INCIDENT AND UNAUTHORISED ACCESS TO SOME AAPT BUSINESS CUSTOMER DATA STORED ON SERVERS AT MELBOURNE IT.

AAPT IMMEDIATELY INSTRUCTED MELBOURNE IT TO SHUT DOWN THE SERVERS WHEN WE WERE NOTIFIED OF THE INCIDENT. PRELIMINARY FINDINGS SUGGEST IT WAS TWO FILES THAT WERE COMPROMISED AND THE DATA IS HISTORIC, WITH LIMITED PERSONAL CUSTOMER INFORMATION. FURTHER, THE SERVERS ON WHICH THE FILES WERE STORED HAVE NOT BEEN USED OR CONNECTED TO AAPT FOR AT LEAST 12 MONTHS.

I’m not sure how much comfort we should feel to know that the “data is historic”. After all, historic data is, by definition, significant and important.

Dictionary humour aside, surely there’s less justification for losing last year’s now-redundant data than for having your latest database hacked?

Losing data which didn’t need to be online at all – data which you weren’t actually using, and hadn’t used for some time – seems even more careless than finding that your currently-active online database system has a command injection flaw.

(Note that I’m not saying that losing current data is acceptable. But it is easier to understand why it might happen.)

If you’re going to leave data lying around off-site – listen up, anyone who’s ever used any sort of cloud service! – then be sure to encrypt it first.

That way, if it falls into the wrong hands, it’s just so much shredded cabbage.

As for the hackers, their behaviour can’t be condoned either.

So far they’ve got at least some popular support – the Australian editor at The Next Web, for example, opined that “[g]iven Australia’s less-than-stellar record with sane Internet security policies in recent years, we can only hope that attacks like these are not in vain and prove to lawmakers that their efforts will be ineffective.”

Nevertheless, the hackers have not only trampled on existing, purposeful, anti-breach laws to achieve their aims, but also now have possession of data they ought not. Word on the street seems to be that they plan to disclose some of it – which will just make the whole thing worse.

It certainly seems strange to protest against the risks of data retention by making yet another copy of data you think ought not to have been there in first place. Somehow, it feels a bit like deliberately picking a fight down the pub to demonstrate the problems posed by alcohol-fuelled violence.

And there you have it.

You’ll have to make your own mind up on the morality of hacktivism and the propriety of surveillance and data retention.

Just remember this: when it comes to privacy, cryptography is your friend.


The images of shredded cabbage and the 24-hour surveillance sign are courtesy of Shutterstock.