With so many data breaches and hacks happening all the time, it’s easy to become blase, thinking “so what?” and that it doesn’t really matter anymore.
That’s until you hear from the victims and realise how devastating it can be to have confidential information leak out.
Last weekend, the former Dutch government innovation architect and founder of internet security organisation GDI.Foundation Victor Gevers disclosed on social media that he’d been hacked.
It was pretty bad. His personal and GDI.Foundation email accounts hosted by Google had been compromised. Gevers’ Facebook account had its multi-factor authentication disabled so the attackers got in there too and took it over.
Once they had broken into the account, the attackers started posting Gevers’ private Facebook content to the Imgur image sharing site. That’s how he became aware of the hack.
From there, things got really ugly. The attackers went through Gevers’ email folders and “doxed” him by posting sample messages to several file-sharing websites.
They also threatened to release all the data they had captured from him as a torrent, and tried to blackmail him, asking Gevers to send five Bitcoins (just under $25,000) as an “apology”. Gevers isn’t going to pay.
Now, Gevers is a security pro who has responsibly disclosed heaps of vulnerabilities and information leaks to a variety of agencies and organisations over the years as a public service.
One involved the Russian government reusing the login credentials for the mandatory remote access backdoor into IT systems that local and foreign companies in the country must have.
Those login credentials ended up on open internet facing databases that anyone could access, leaving scores of companies such as Disney and a large Russian telco wide open.
Gevers told me it took almost three and half years before the dire situation was sorted out. During that time, he kept quiet about the vulnerability as that is how responsible disclosure works.
His security work has kept Gevers busy over the years, and he neglected the security of a family PC which meant that the attackers got hold of his work communications as well.
Gevers had to contact more than 700 organisations with undisclosed vulnerabilities to warn them that hackers had stolen details of these from his emails.
At this stage, we don’t yet know how bad the leaked vulnerabilities are.
The disclosed Russian flaw is, however, an indicator as to how serious they could be.
Attacking Gevers was arguably a mistake. He is a respected member of the infosec community who will receive full support in his efforts to track down the people behind the hack and has plenty of incentive to do so.
That said, the hack Gevers suffered is a case study of sorts that illustrates that we mustn’t be complacent about information storage security.
Data breaches hurt not only you, but other people and organisations that you’re connected to as well.