Hundreds of pages of classified material including counter-terrorism reportsbeen accidentally leaked online after a Europol officer left them there and they were found...through Shodan. A rogue hacker was not at fault here, but rather an absent-minded member of the European Union's police force.
The information was due to be released with the broadcast of dutch documentary programme, Zembla, if it wasn't for Europol admitting the blunder before the TV show's release.
In total, 700 pages of material on Europol investigations, intelligence and practices were found on an internet-linked hard drive that wasn't even password protected. Europol was quick to point out that the information was around 10 years old.
Still, the cache was packed with the personally identifiable information of terrorism suspects as well as details from investigations into the Madrid train bombings of 2004, Dutch Hofstad Network terror group and foiled terror plots.
Zembla reporters found the information through Shodan, a service which bills itself as “the search engine for the internet of things”. Shodan is regularly used to find vulnerable IoT devices, of which there are plenty. Of the many reasons one might give for the insecurity of the IoT is that devices come with easily guessable default passwords and users don't bother to change them. The hard drive in question was a Lenovo Iomega, the manufacturers of which have said that security is the responsibility of the owners.
The organisation hassaid that there is no clear indication that the information harmed investigations but says that Europol will continue to look into the matter.
The data was taken by an officer - who is no longer with Europol - for personal use and in breach of Europol policy, something which Jon Fielding, managing director EMEA of Apricorn said, is easier to do than you might think: "This example of highly sensitive data being leaked by an organisation, which by its very nature, has to be one of the most highly secured, only goes to highlight how easy it is to slip up if policies to guard against the use of personal, non-approved and unencrypted devices aren't in place and enforced through technology.”
Brian Chappell, director of technical services EMEAI and APAC at BeyondTrust told SC that “any time security processes become onerous, beyond what's reasonable to protect the data in question, and begins to impact the ability of staff to do their legitimate work, Shadow IT appears and breaches like this can happen.”He added, “organisations need to look for solutions that protect data and systems in minimally invasive ways, use a layering of security processes and tools so that normal users only need traverse one or two layers but someone wanting to gain access from outside has many layers, effectively rendering the target opaque. Sensible approaches to security should lower the desire for Shadow IT.”
Graham Mann, managing director of Encode Group UK says “this incident is a classic case study of why humans are the biggest security threat in any organisations. They are unpredictable, illogical and forgetful, a combination that is both challenging to manage and potentially devastating. A sobering thought for all in security management; if someone like this can make such an error of judgement consider the implications to their own organisation's security.