A hacker swiped 2,800 logins and passwords from Securus, the company that US Senator Ron Wyden recently pilloried for letting law enforcement track phones.
The hacker at the very least snatched a spreadsheet that housed the data, according to Motherboard report.
The breach occurred on the heels of Wyden asking the US Federal Communications Commission (FCC) to investigate the wireless carriers that allow law enforcement to have “unrestricted access to the location data” of their customers after a former Missouri sheriff was indicted for, among other things, tracking the cell phones of numerous persons, including some state troopers, without the benefit of a court order.
“This breach is another example of how supply-chain partners can impact your risk posture. There's a high likelihood that the credentials used by law enforcement for their Securus login are also used in other places by the same individuals,” said Tim Erlin, vice president of product management and strategy at Tripwire. “That means the accessed data is valuable not only as standard ‘personal data,' but potentially for access to law enforcement services.”
Ben Johnson, CTO and co-founder of Obsidian Security, took Securus to task for its flagging security posture. “Any company that handles this level of sensitive information that doesn't have security prioritised is doing their customers a disservice,” said Johnson.
Noting the high value of the information to which location aggregators hold the keys, companies that trade that kind of information “should expect to be targeted by groups with nation-state level capabilities,” Johnson said. “Knowing this, it's deeply disappointing to see Securus be this lax and unsophisticated with their security to the point that usernames, email addresses and hashed passwords were stored in spreadsheets.”
Wyden Friday pointed to the Securus hack and reports that four major wireless carriers were selling real-time location data to data aggregator LocationSmart whose buggy website allowed anyone to track another person's location, tweeting “If the @FCC refuses to act after this revelation then future crimes against Americans will be on the commissioners' heads.”