Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

04:36 PM

Can Data Breaches Kill?

When data is sensitive enough, its exposure has the potential to be fatal

Data breaches have long threatened the identities of individuals whose data was stolen by pilfering cybercriminals. But, in some cases, the breach of sensitive data can put far more than just the credit histories of victims at risk. In the right set of circumstances, a data breach can put people's lives at risk.

As far as the security community knows, there has been no documented case where breached private details have proved fatal. But the recent exposure of sensitive information held by more than 70 different U.S. law enforcement agencies by Anonymous provides a perfect example of the type of information that could put a breach victim's life at risk.

The group nabbed and made public the personal information of hundreds of law enforcement officers via BitTorrent, as well as the names and information of police informants for many of the departments hit in the attack.

"It's certainly some pretty heavy-duty data that they got access to this time, very different from the typical user names and passwords that they publish," says Josh Shaul, CTO of database security firm Application Security. "We don't know exactly what happened, but we know their MO. When it's Anonymous and Lulzsec, it's almost always simple injection to get to the inside and extract some data. A lot of those files were not stored in databases, but they very likely used SQL injection to get to a database and then used database vulnerabilities to get to the sensitive files that they then extracted in the end. I think they got to really sensitive data because that data was completely accessible."

As Shaul and several security experts acknowledged, information like the data dumped on BitTorrent by Anonymous could put people's lives in danger. Police informants depend on their anonymity to provide confidential information to law enforcement officers, and they count on the agencies they work with to keep a tight lid on their personal details and connections to law enforcement.

"Just knowing the name of a person within a secret organization or relationship can be life-threatening for them," says Mel Shakir, CTO of NitroSecurity. "As organizations start looking at these incidents, they'll start to understand the implications of even employee information being stolen."

This latest Anonymous raid of public safety agencies was reportedly a retributive attack against the entire field of law enforcement for the arrest of "Topiary," the Lulzsec spokesman picked up by Scotland Yard in late July. But this isn't the first time Anonymous has put law enforcement lives at risk -- in June it released information about law enforcement officers from the Arizona Department of Public Safety.

"The rest of the country doesn't realize how dangerous it is here in Arizona," says Adrian Lane, security analyst for Securosis. "It's a border area, and we have groups of 'coyotes' that bring illegals over the border; it's a professional enterprise run by Mexican mafia. The border agents fear for their lives because those coyotes will come after them and will kill them. These are also the officers who are going to raid the houses of drug dealers. That's a potentially life-threatening issue."

Even law enforcement agencies themselves have been culpable of exposing people whose police involvement could put them at risk.

Last year an informant for the Sheriff's Office of Mesa County, Colorado, saw theirs name popping up on a Google search. The search engine's crawler had found an unsecure FTP site on a server owned by the county that contained names, contact information, and Social Security numbers of drug informants to the agency. Somehow an IT staffer mistakenly put that data onto the FTP site from a very sensitive database file.

Incidents like this and the Anonymous attacks show that public safety organizations need to spend as much attention to cybersecurity as they do to physical security; at this point, too much information is accessible over networks to ignore the risk.

"People going after information that is going to be life-threatening for others has some major legal ramifications and is going to hurt people's lives," Shakir says. "Organizations have to take more precautions, the same way that they put up secure buildings with cameras and guards. We are in the cyberworld and, with most of our lives being online, we have to make that investment. We cannot be lax anymore."

Sadly, though, this message just doesn't seem to be getting through to even those organizations that hold people's lives in their hands.

"This is the prevalent state of affairs across almost the entire universe right now in information security," Shaul says. "I think if something really bad happened I wouldn't be surprised to see this go political and see Congress try to put some sort of legislation in place that makes it look like they're doing something."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agent of Full Disk Encryption in Kaspersky Endpoint Security (KES...
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.