‘Dark web’ data sale threatens vast government data breach

By on 09/10/2019
A seller on the dark web claims they have access to a Brazilian government database containing 16GB of personal information about citizens. (Image courtesy: Pixabay)

Personal information including the names, dates of birth and taxpayer IDs of 92 million Brazilians is being advertised for sale on the ‘dark web’, in what could be one of the biggest government data breaches in history.  

The seller, known only as X4Crow, claims they have records on nearly half of Brazil’s 209 million citizens – potentially the country’s entire working population.

X4Crow is promoting the auction on multiple restricted-access underground markets, according to BleepingComputer, which has seen a post on one of the forums in which the seller claims the database contains 16GB of data. The starting price for the auction is US$15,000 with a step-up bid of US$1,000.

Although the origin of the cache is not revealed in the seller’s announcement, the BleepingComputer journalist was told that it is a government database. This could not be confirmed. But BleepingComputer – which got a tip off from intelligence threat analyst Breach Radar – received a sample of the database and was able to verify that the information about individuals is accurate.  

Search for a fee

The seller is also advertising a search service, saying they can dig up rich information about a Brazilian citizen starting with just a few initial details.

Using input such as full name or taxpayer ID, X4Crow claims to be able to retrieve data from national identification documents, including an ID card or driver’s license, as well as mobile and landline numbers, previous addresses, email addresses, profession, education level, relatives, neighbours, vehicles and license plates. According to BleepingComputer, the seller does not guarantee that all details will be retrieved but says that, on average, a report on an individual might contain 80% of the specifics listed above.

On one freely-accessible forum, X4Crow said that they can also get data on any company and its corporate structure. The price for obtaining this information is US$150, although they offered occasional discounts of US$50.

An independent security consultant told BleepingComputer that this service may rely only partially on the database they want to sell: it is likely that X4Crow has other data sets to scour for the information.

‘Woefully inadequate’ data protection model

If the database is genuine and does contain the personal information of 92 million Brazilian citizens, then it “proves our current data protection model is woefully inadequate,” Corin Imai, a senior security advisor at threat intelligence specialist DomainTools, told Forbes. “Organisations, public and private, need to become smarter at protecting data to mitigate the risk to their customers and their own companies,” she added.  

Paul Edon, senior director of technical services at cybersecurity software firm Tripwire, told Forbes that this latest incident is indicative of cybercriminals becoming increasingly motivated by the money they can make from selling personally identifiable information. “Organisations and governmental bodies need to consider going above and beyond the security measures recommended as standard practice, or they will find themselves unprepared,” Edon said. “When retaining this kind of data it is critical to choose an encryption solution that not only protects the database but also provides protection for data in transit and at rest.”  

Government data breaches

Although the vast majority of data breaches – including 14 of the 15 largest data breaches of the 21st century – affect private sector customers, government data breaches are relatively common. 

The United States has been the target of numerous major cyber-attacks on departments and agencies, including the Office of Personnel Management, the Department of Veteran Affairs, the National Archives and Records Administration, and the Virginia Department of Health Professionals.

The 10 biggest US government data breaches – which all occurred between 2006 and 2015 –affected 348 million American citizens in total. The most serious occurred in 2015, when a hacker uncovered a database containing various pieces of personal information relating to 191 million people registered to vote.

In September, it was revealed that the personal data of the entire 16.6 million population of Equator had been leaked online. Although the data, which was being stored on an unsecured server in Miami, Florida, is owned by an Ecuadorian company, the leaked database appears to contain information obtained from sources including Ecuadorian government registries.

The information leaked included full name; date and place of birth; home address; place of work; home, work and mobile phone numbers; and salary information.

Clamp down on unvetted IT providers

It was also announced last month that New Zealand had clamped down on government agencies using unvetted IT service providers, following a data breach which saw a supplier inadvertently leak hundreds of people’s personal information.   

The government has taken steps to more tightly control rules around privacy and systems security after the breach at the Ministry for Culture and Heritage, which allowed more than 300 people’s birth certificates, passport numbers and drivers’ licences to be viewed online.

The data breach involved inadequate security arrangements by an unnamed IT provider – which was not on the list of approved suppliers – covering sensitive information submitted to the Tuia 250 website, through which people could apply to take part in a commemorative voyage acknowledging the first onshore encounters between Maori and British settlers in 1769.

Images of documents provided by the applicants may have been publicly available online for more than two months before the breach was discovered on 22 August.

Initial investigations indicate that the breach was not the result of a targeted attack, but an opportunistic find of insecure information.

About Mia Hunt

Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *