By John Finch, information governance manager, Plymouth City Council
We had a cyber-breach a couple of years ago that we learnt some deep and serious lessons from: 29 Plymouth.gov.uk email addresses were found in a password file dump on VirusTotal, a website owned by Google where people upload virus signatures. The service desk took the call and the first thing they did was change all the staff passwords, just in case they had been used for network access.
The email addresses were all from the same department and all involved with a website called Summer Mix, which was externally hosted – a programme we run in Plymouth every summer with free activities like dance classes and horse-riding.
To sign up, people went to the website and provided email addresses, passwords, which courses and other sensitive information. As soon as we became aware of a link, alarm bells started ringing.
We phoned up the supplier and said turn off the website immediately. This was January, so we were a bit puzzled as to why the site was running, given the programme finished in August. We then said, can you give us a copy of the database behind it, all the log files you’ve got, do you do any analysis of the traffic and can you check your code to see if there are any vulnerabilities? We also contacted VirusTotal and got the whole password dump – and discovered that the file had originally been placed on the website Pastebin before it had been copied to VirusTotal.
Additionally, we notified the ICO (Information Commissioner’s Office) and the NCSC (National Cyber Security Centre) immediately.
The supplier came back and said they couldn’t find anything wrong. But we compared the VirusTotal dump file and the supplier’s database, and were able to identify that it wasn’t just 29 addresses: it was 1,700 people’s details that had been compromised. I was horrified by the log file: in the month up to the attack, there were thousands and on some days hundreds of thousands of visits to the site. Most of the IP addresses weren’t from the Plymouth area or from the UK. It was quite obviously an SQL injection attack. These sorts of things should have been stopped by the website itself.
We’ve got good contacts with the South West Cyber Crime Team. They sent a guy down within two days who took away all the relevant data and started analysing it themselves. The information included medical needs for children, as instructors need to know if they have asthma or other conditions that need treating, as well as dietary requirements.
We set up a communications plan, because this was a major breach, which took three weeks liaising with the police on what we needed to tell people. We had to send out 1,100 letters rather than 1,700, as some people registered two or more children.
In the letters, we said ‘All that was taken was your email address and password, as you might have used it in PayPal and Amazon and the criminals can monetise this’. We gave advice that it’s good practice not to use the same password on every website, so we suggest you change them and here’s some advice on secure passwords.
We had two dedicated staff in our contact centre expecting phone calls the day after the letter went out. We had a really low response, taking 12 phone calls; we took that as positive. A member of staff who was affected said, ‘everything I needed to know was in the letter’. The ICO came back quickly and did not take any further action. The cybercrime team were unable to bring any charges due to the different locations the attacks originated from.
The lessons that you can take away from this:
- Know which data is being collected on external websites and when they are in use
- Insist on full penetration tests on all external websites
- Insist on monitoring of activity
- Pastebin can be searched for your domain to see if email addresses have been compromised
- Ensure you have a detailed incident response plan
This is based on John Finch’s talk at the Socitm London and South 2018 conference in London on 15 June 2018. Plymouth City Council now hosts the Summer Mix webpages on its own website and uses a PDF booking form that applicants print off or collect then deliver to a participating youth centre – see https://www.plymouth.gov.uk/youngpeople/summermix2018.