“Computer hacker steals sensitive information from 20,000 Christchurch hot pools customers” — NO. That’s NOT what happened.
There is a highly misleading news report on Stuff today. Permit DataBreaches to set the record straight by quoting some statements from the news story and responding.
Liz McDonald reports:
Personal information about as many as 20,000 members of the public has been stolen in a data breach at Christchurch City Council’s He Puna Taimoana hot pools.
It wasn’t “stolen.” It was found exposed and leaking.
“We were notified of the breach by a third party who had been contacted by an individual claiming to have accessed and downloaded certain files stored on the He Puna Taimoana cloud server,” Cox said in the email.
This is partially true. DataBreaches is the third party who contacted them. DataBreaches contacted He Puna Taimoana at the researcher’s request. The researcher’s attempt to call He Puna Taomoana to alert them to their data leak had not reached a live person, and they wanted to ensure the alert was received. As many whitehat researchers have done, and as they have also done before, they turned to DataBreaches to request assistance in making responsible disclosure.
“At this stage, we have reason to believe that the third party who accessed and illegally downloaded files stored on the He Puna Taimoana cloud server is a ‘white hat hacker,’ being an individual who exploits computer systems or networks to identify vulnerabilities in order to encourage improvement or enhancement to the security of those systems or networks.
If there is no password protection on a database or “keep out” banner of any kind, the data are public and can be freely downloaded by anyone with internet access anywhere in the world. This researcher wasn’t “hacking.” He was researching and found exposed data.
At this stage, we have no reason to believe the information has been further disclosed by the third-party actor other than to the third party who has informed us of the breach.
The whitehat researcher destroyed any data that had been downloaded after the entity acknowledged notification and secured the blob. Sean Rainey, Manager Official Information and Privacy Officer, Official Information Team, Christchurch City Council, was informed of this in follow-up correspondence in August.
The privacy commissioner has been notified, he said.
Yes, the privacy commissioner’s office was notified — by DataBreaches — after He Puna Taimoana hot pools did not respond to this site’s first email attempt to alert them to the exposed data.
Here is the text of the first email sent to them, with URLs now redacted:
I’m a journalist in the U.S. who reports on data breaches and data leaks.
A researcher contacted me after he tried to call you and got a message on your phone saying you couldn’t take the call.
The researcher found that you are exposing customer data and images because you have a storage azure blob that is not secured properly.
You should contact your IT professional immediately and give them the following information:
The unsecured azure blob is at: <url removed from this post>
Here are just a few files that the researcher showed me as proof of exposure: <urls removed from this post>
The researcher says you had more than 20,000 exposed files in that blob when they checked it yesterday and there were even more today.
I would encourage you to immediately go secure that blob so that you protect customer personal information.
The council was also informed that links to the exposed data had also appeared on GrayHatWarfare, and that the council should contact them to see if they had any relevant logs and if they would remove any links.
Does this sound like a researcher who “stole” data or someone the public needs to be concerned about it?
DataBreaches had no intention of reporting on this leak but felt compelled to defend the unnamed researcher’s honor which has been impugned by any suggestion that they hacked or stole data. The researcher went out of their way to notify the council. They sought no reward or bounty or even thanks. They were just engaging in ethical research and disclosure. They don’t deserve to be accused of stealing data.
The council should have disclosed this incident by saying, “We screwed up and didn’t lock down all the files we had with your personal information. We’re sorry for that and embarrassed. Thankfully, a kind and ethical researcher discovered our mistake, and when they couldn’t reach us to alert us, they asked a journalist they trusted to make the notification. The researcher and their employer destroyed all the data they had downloaded.”
That would certainly be a different news story than the one Stuff was given, but it would be more accurate.