Insider steals 79,000 email addresses at work to promote own business A former council staff member in the district where William Shakespeare was born ransacked databases filled with residents' information to help drum up new business for their outside venture. The UK's Stratford-on-Avon District Council concluded its investigation into a November data breach last week, finding tens of thousands …
It's so reassuring to know that for instance our health records will be held in one place, so there is totally no chance that a rogue employee will download it and put it up on Dark Net, so that we could access them quicker without having to wait for Subject Access Request to be processed cod knows how long for.
> We have concluded through our investigations that this data breach was a deliberate act by an individual, and not a breakdown of the robust internal controls we have in place.
Which utter moron wrote this. What are internal controls for, if not for this kind of thing. Deliberate act by an internal is threat number one, so they either broke down, or they are not robust.
There is no way you can avoid some9ne to have an access, whatever “robust procedures” you invent. Someone has to administer the database and access to it and that person will be able to download.
There is no choice but to trust someone.
On the other hand the6 managed to find who has done it, so the setup was not that bad.
>>I would expect staff can only access one record at a time - there should be no need to access all the data at once.
Any DBA of a database can access all the data using a suitable command shell/query language.
Obviously that shouldn't be available to normal staff but we don't know if the miscreant in this case was a DBA or Normal staff... nor do we know if normal staff had access through command line tools by intent or omission.
Takes one suitably senior person to insist mail merge in word is easier than using the supplied bulk mailing tools, and as if by magic an export button appears... Either put there by you, or your competitor.
We have had a receptionist make such a demand, and get supplied with an export of the entire user database...
this moron\wcrook should be required to personally compensate everyone whose email he compromised.
A minimum of £5/head would be good. This might deter other, in the future, of doing likewise.
Every Saturday in the local market in the stocks would be a nice addition - especially of the rotten tomatoes were to be paid for by him.
"A minimum of £5/head would be good"
Unless and until the UK imposes statutory minimum damages, this won't happen, because demonstrable per-recipient damages are pence
That's the REASON the USA TCPA was created to deal with fax spam and the per-message penmalties were written into law
It doesn't help that NOBODY in the media is pointing out that email marketing is "cost shifted" where the recipients bear the vast majority of the total costs. Cost shifting was made illegal in other venues a long time ago for the abuse reason (it's also why mailing a letter went from "recipient pays" to "sender pays" over 200 years ago, with a stamp to prove it)
A police caution is persistent and shows up on criminal record searches
As part of getting a caution, the miscreant is explicitly acknowledging in writing that they are guilty of the accusation - hence the CRB marker
It's not quite a wet bus ticket, but if they do it again they won't get a second caution - and part of the caution usually includes conditions to abide by which will upgrade the caution to a prosecution if breached - where the admission of guilt will be used going forward
"The individual behind the data theft, who has not been named, was referred to Warwickshire Police and was subject to investigation from law enforcement, but has escaped with an official caution – a slap on the wrist. "
That all???
No deterrent to stop it happening again by a "rogue".
"Apparently they "apologized sincerely" and the police confirmed that all data had been deleted."
Do it and then beg forgiveness?????? How sincerely?
How is anyone certain that ALL COPIES have been deleted?
Apparently they "apologized sincerely" and the police confirmed that all data had been deleted.
To whom? Not, I'll be bound, to the 79,000 whose email addresses were nicked and, presumably, spammed.
So the only penalty was that they lost their job but as they had started a new business it may well have been that they had quit anyway. The best that can be hoped for is that, having proved themselves untrustworthy to do business with and probably pissed off 79,000 potential customer with spam the business fails.
I had a contract at a place. They were using a Popular Cloud-Based CRM. They made use of the security feature where only their egress IP was able to access their stuff. Which was fine - until the ex-employee was able to connect to the guest WiFi from outside the building and slurp all the contacts. Marketing had dealt with the CRM people without involving IT so no leavers' process to delete the account.
I use individual emails for every company I deal with.
So if I'm signing up for one service, I know exactly what email I gave them, and if I get spam, I know exactly where that address came from. And if I don't "create" an address for a company, there's no way to contact me except on a generic account (e.g. my name) which I never give out.
Then I got an email selling furniture for schools (which was quite clearly a new company spamming to drum up business). I wondered how they had got hold of my address as it wasn't anything I'd ever signed up for. Turned out that the email address they were using was the one I had given RM (remember them?). And they seemed to be an entirely unrelated company.
I unsubscribed, and they still spammed me relentlessly, so I called them up. It took a while for them to get what I meant, and then got to someone who I could actually confront, who was instantly red-faced and sheepish.
Turned out that their director was a former employee of RM, who had recently left to set up a company of their own, and in the process had stolen the entire RM address book and used it to spam all their customers.
To say they were shocked I'd managed to expose this in the matter of hours of being sent an email, that they then panicked trying to undo it all, and that they promised rather comprehensively I would never get another email from them ever again (that was my deal that I offered... I don't care where you got the address from, but if I receive a single further email from you, there'll be a nice message winging its way to RM's data protection department) is an understatement. They soiled themselves.
I never did get another email, nor buy anything from them. And I kind of judge RM that their customer address database / CRM / whatever lets you just exfiltrate the entire contents like that.
But it happens all the time, and it just shouldn't be possible. Why does anyone working at RM (or indeed anywhere) need to see my email address, or be able to export the entire address book to a third party device?
I think in your place I might have contact RM first. They're clearly the one's ultimately responsible for letting an employee walk off with the data. Assuming it was post GDPR they should also have reported themselves to the ICO.
Then I'd have told the new company that they had to report themselves to the ICO within the statutory72 hours.
And made clear that I'd report them both myself before the 72 hours were up so if they wanted to get in first to look good they'd better move.
""It is important to stress that this information only contained email addresses, it did not contain any bank details, or names and addresses."
Well, it probably did contain some names / name related information.
Many people have email addresses that include their surname and forename (albeit may often be abbreviated forename e.g. Rich instead of Ricard etc.) or surname (plenty of friends I know where a couple share email address for "general" emails so I would email them at something like thesmiths@whatever.com)
So, I'm betting at least some emails could be directly matched to people (given addresses only covered a small area of the UK), or if not precisely matched, could be just one of a handful of people in taht part of the West Midlands.
Not true.
The fact it's not more widely used suggests the powers that be aren't so keen on teh idea of data they can't slurp.
Take off the tin foil hat
Other reasons include it being difficult and sometimes it is necessary to read data for support purposes.
Looking at that Wikipedia article it seems at first glance that what is possible is limited, and it's not at all straightforward. It also raises the suspicion that customising software with new functionality with reasonably short timescales is likely to be difficult. Time is money, companies are going to take the quickest reasonably secure option.
I know of an instance where a developer decided to be 'clever' and use some encryption technologies so no-one, including support staff or development, could read certain stored documents. Unfortunately in their usual rush to use a fancy new technology and gain plaudits/money they didn't understand encryption ciphers well enough and it resulted in unwanted information disclosure.
It wouldn't have happened if they hadn't tried to use a sophisticated approach, or if they'd asked someone with even a vague knowledge of what types of encryption should and should not be used.
The number of people that understand even basic encryption limitations is distressingly low. There's no excuse for it, but it remains the case. The number of people that can safely code and implement anything beyond calling a turnkey library is vanishingly small.
When I worked for Austin TX internet provider io.com, you could telnet in as guest and just browse the filesystem directories! You could go to /home and just harvest all of the usernames at that level, and often you could dip into customer's /home/%username%/mail folders to get additional mailbox names. You'd just send your spams to %usernames%@io.com.
How could you just telnet in, you ask? Well, they had a public telnet portal to log in and reset passwords, update PLAN and open help tickets. It was based on using LYNX browser as the shell instead of BASH. So, aside from failing to set permissions properly throughout the system, to keep customers from browsing outside their own account folders, they forgot to disable LYNX's file browser feature (press g, period, enter). Pretty sad, considering the staff liked to think of themselves as burningman_cybergods and the company was boldly claiming to run a "hardened network" and selling security products on that basis!
Search for io.fondoo.net on archive.org if you want the detailed story (which I added to the sidebar of my snapshot of the company's website).
My email address will have been on the list, its a list of the poor people they con an extra £40 a year out of for green bin collection because £260 a month is not enough! Who would think to complain to the council about unsolicited emails, I get them every day and I personally find it quite impressive that the source of the breach was discovered. This type of breach will happen all the time but most people don't care about unsolicited emails because you get so many of them.
It is highly likely the individual took a copy of the email database, that's not the same thing as stolen. The individual could have only 'stole' them if he/she removed the database entries from the victim. Just like downloading music back in the early 2000s, it was never stole, it was simply downloading a copy someone else had uploaded into the public domain. Naturally the music labels didn't like that despite the internet supposedly being free and open at the time; which is a far cry from what it is today.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
