Federal authorities charged a former inmate with successfully breaking into prison computer systems during his incarceration and stealing identity information on prison personnel. Beware: if hacking can happen under the noses of federal prison authorities, then your company is certainly not immune.
A press release from the Attorney General's office in Boston describes the indictment:
[Francis G. Janosko, age 42,] is alleged to have obtained the password to a prison management program and to have made available to other inmates a report listing the names, dates of birth, Social Security numbers, some addresses and telephone numbers of over 1,100 current and former prison personnel.
According to the release, the prison allowed inmates computer access to a system containing legal research information and "nothing else." Janosko bypassed security by, "exploiting a previously-unknown idiosyncrasy in the legal research software:"
As configured, the computer prevented inmates from accessing the Internet, e-mail, other computers on the prison's networks, or even other computer programs on the legal research computer.
To understand this issue more thoroughly, I spoke with John Otero, senior partner at Black Storm Cyber Security & Forensics and former member of the NYPD Computer Crimes Squad. John emphasized that access control is not sufficient in an environment where security is important:
It's important to physically separate systems in addition to employing logical access control. Ideally, you should have two completely independent, unconnected systems but building redundant systems can become expensive. Give the cost, and depending on the specific environment, it can be acceptable to isolate the systems on different network subnets using routers firewalls.
In this case, it's clear the legal research computer was connected to the same network as the prison databases the inmate accessed. Obviously, their level of security was insufficient to meet their requirements.
THE PROJECT FAILURES ANALYSIS
At least two failures came together to cause this security breakdown: an access control vulnerability in either an application or the operating system combined with poor IT practice regarding network segmenting and control.
Although I suspect poor computer security practice by the prison IT department contributed to this problem, let's view the situation in context. Security lapses resulting in organizations losing data containing personal information of employees and customers is common. For example, consider the following cases:
- A laptop containing information on 150,000 government workers is stolen from a Deloitte employee
- The Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals.
- HSBC, the UK’s largest bank, lost an unencrypted data disc containing the names and insurance information of 370,000 customers.
Without excusing the prison IT department, which certainly failed in a major way according to my read of the facts, we must recognize the larger pattern: organizations in both the private and public sectors still do not manage security with a sufficient level of seriousness.