After an apparent refusal to pay a ransom demand, Russian hackers have leaked a sampling of 13 million records of UK police data to the dark web in retaliation.
The records were stolen from a police contractor, and the Russian hackers released just a small portion of what they stole but have threatened to release more if their demands continue to be rebuffed. It remains unclear exactly what personal information has been breached, but the dark web samples contain indications that the data was stolen from a national traffic monitoring system and contains photos of drivers that were caught speeding.
UK police data taken from contractor, ransom refusal leads to partial leak
The hack is attributed to the Clop gang, a ransomware group that has been operating since 2019 and was particularly active into early 2021 (two of its largest prior breaches were of ExecuPharm and business collaboration firm Accellion). Some members of the gang were arrested in Ukraine over the past summer, but the group’s Russian hackers quickly got it back into business. The group had made tens of millions of dollars from some of its attacks and is considered a major player among cyber criminals.
The group is known to operate a dark web site through which it doxxes victims that do not pay. In this case, the victim was Scotland-based IT support firm Dacoll Group. Dacoll contracts with the UK government to service the Police National Computer (PNC), a shared system used by many of the country’s law enforcement agencies.
Dacoll was apparently phished successfully, giving the Russian hackers access to about 13 million records of UK police data. The firm then refused to pay a ransom demand, the amount of which is unknown. Not much is presently known about what information was compromised, but the group put hundreds of data samples on its dark web site as proof of the attack and threatened to release more if the contractor did not reconsider its position on the ransom.
The National Cyber Security Centre said that it is working with Dacoll and law enforcement agencies to investigate the incident. Dacoll recently issued a statement indicating that the breach happened on October 5. The sampling of UK police data has since been removed from the dark web site, and it is unclear if the Russian hackers intend to follow through with their threats of releasing more of it.
Russian hackers leak information indicating traffic camera data was stolen
Among the samples of the UK police data uploaded to the dark web were traffic camera pictures, of the sort that automatically trigger when a vehicle is detected breaking the speed limit. This indicates that the records were stolen from the Automatic Number Plate Recognition (ANPR) system. Some of the leaked samples show close-up images of the faces of drivers caught by the speed camera.
UK citizens would no doubt like much more detail about exactly what the Russian hackers had access to, but UK agencies and Dacoll are naturally being very quiet about the fine details of the attack. There is reason for concern given that Dacoll provides services to 90% of the UK’s law enforcement agencies through its subsidiary NDI Technologies. The company’s NDI Recognition Systems firm is the one that supports the ANPR systems; UK police data is shared with Highways England and DVLA through the company’s software products.
The Russian hackers have once again highlighted the fact that organizational cybersecurity is only as good as the weakest link in a supply chain of vendors with trusted access, but this time with potentially more serious consequences than usual.
As Saryu Nayyar, CEO of Gurucul, observes: “It’s not clear that evidence released is valuable, although it seems possible that it can be used to identify and blackmail motorists and other individuals … In this case, the data, while it should have been treated as confidential, was easily phished and downloaded. The police and their vendor Dacoll have little incentive to pay this particular ransom, so the identity burden is going to fall on those cited by the evidence. That’s unfortunate that a mistake by Dacoll causes a potential loss for others, so the police should shore up their own systems and do right by those whose evidence has leaked.”
The incident raises the question of what the average person can be expected to do when government agencies, trusted with the most sensitive of their personal information, have a security failing. Heading into the holiday season, it remains to be seen what the UK government will do to remedy the situation; UK citizens still need to know exactly what the Russian hackers made off with. The worst-case scenario would be access to their drivers license information, a key element for thieves to establish a change of address for the purposes of identity fraud.
Garret Grajek, CEO of YouAttest, points out that the impetus falls mostly on the government contractors that have access to this sensitive information: “The real question – is what do enterprises do with all the mayhem occurring? The key is to focus on solid security practices. The NIST guidelines on zero trust (SP 800-27) and cloud security (SP 800-210) are a good place to start. Identity is key to all of these directives and counter measures. This begins with an enterprise knowing what identities are given authorization to which resources and is imperative to cyber security.”
Baber Amin, COO of Veridium, has additional suggestions for securing UK police data at the root: “In this case both the IT firm and UK police should implement matching access control. Preventing successful phishing attacks, as usual requires a layered approach to security and access.
Eliminate all unauthenticated access by requiring every connection to be authenticated.
Eliminate all single factor authentication by enabling multiple factors.
Depending on the information being accessed, assign different authentication factors based on their trust level.
Create a multi-channel authentication strategy such that a single compromised channel does not compromise the system.
Do not allow full access across all systems even if the user is authentication via some sort of MFA. Compartmentalize all access.
Implement tools that look for unusual activity e.g. probing, multiple failures, large data ingestion or large data extraction.
Implement tools that evaluate end point trust and can identify bots and automated processes.
Implement behavioral biometrics to distinguish normal users from bots and bad actors.”
Given that the Russian hackers took down their teaser sample of the UK police data voluntarily, it is possible that the incident will end quietly as Clop worries that it might attract the same level of heat that REvil recently has (the group has already weathered one wave of arrests). But UK residents will have an extra worry going into the holiday season that they should not have to deal with, as the Home Office takes the tack of downplaying the incident and stalling on giving a public assessment of the potential damage.