British Museum says ex-contractor 'shut down' IT systems, wreaked havoc The British Museum was forced to temporarily close some galleries and exhibitions this weekend after a disgruntled former tech contractor went rogue and shuttered some onsite IT systems. The freelancer gained entry to an unauthorized area late last week to wreak havoc, the Metropolitan Police confirmed. A spokesperson for the …
One place I worked we had one of those - only 5 digits and number was 141 *, when ever I pressed the 1 a second time it always felt as if it did nothing, so one day I tried it with just 14 and sure enough it opened. A bit later I had to change the number, reading instructions and yes you could only use each digit once. What did we do there - data communication security.
* It's fairly safe to use the actual number as a I changed (several decades ago), and b the site has closed and been sold for housing
Except by their comment, it was a 4-digit code. They were told that it had five digits, and their five digit string worked, but only because the repeated digit wasn't even read in. So this tells us that it was only four digits and repeating a digit wasn't allowed.
With ten digits, the number of combinations using four digits and no repetition would be 10*9*8*7 = 5040, or 2:48:00 at two seconds per combination. A five-digit no repeated digit code would be six times as many. Still not good, but a much less intense version of not good. If the repeated entry had put obvious marks on the keypad though, that would make only 24 combinations which would be much easier to crack.
And anyone who has happened upon the Lock Picking Lawyer videos on YouTube will doubtless know that many of those mechanical button locks are fairly quickly decoded by feel.
A bit of learning that was successfully put to the test when my OH's last employer was locked out of a room and the site maintenance guy had gone without noting the code...
He probably knew about the "secure" door (likely a fire exit) around back that's always propped open with a fire extinguisher, usually because the air con in that room doesn't work / people can't be bothered to keep their passes on them.
Lost count of how many workplaces I've had where that was commonplace.....
Nah. The server room is located behind a series of steel reinforced doors that require coded RFID identification cards, a PIN, a fingerprint scan, facial recognition and a man trap. There's no WAY you're getting in there by way of a casual stroll. Now the main electrical switch room next door where the server racks are fed from and where the air conditioning plant control gear is located... THAT'S the door propped open with a fire extinguisher.
Its a public place, so the first hudle cleared.
He would be a familiar face who had just been sacked, maybe with little fanfare so many of his collegues may not have been aware of the fact, posibly only knowing (vaguly) that he had left / was going to leave. So someone held a door open for him giving access to a restricted area.
That gets you most of the way in, with no one questioning him as he was a familiar face.
So true. Maybe a badge system that either wasn't deactivated because they've either outsourced IT or underpaying IT. And the combo lock code that should be changed after every tech is let go, wasn't.
Many moons back an incident happened at the NHS where I'd warned the stakeholders 3 months earlier, but being a low down, bottom of the pile (as they saw it) contractor I was ignored. 3 months later the incident was bought up again, of which I pointed out I'd warned them 3 months earlier. They attempted to drop me, then a head of service admitted in a meeting it was his job to change passwords etc that he hadn't done but that will change. I see they never tried to fire him. He also tried to force me into a meeting without representation. They were all in coverup mode because it was their fuck up and attempted to make me the scapegoat. They are luckly they didn't as the press would of heard about it. Its 18 years ago now, long gone.
Its mostly this way when IT departments are understaff and/or under funded. Where you end up not giving a shit because no one else appears to give a shit about your department. Kevin Mitnick pointed out issues in his books. One IT working fired in front of a department was then allowed back to his desk for the day. That evening all the servers rebooted and wiped themselves. He was long gone so they couldn't prove it was him. Another had planted a moderm under someones desk so he could remote in if ever let go.
I've wandered into interesting places that I had absolutely no clearance or authorisation for, I've even been escorted to them "for security reasons" by well meaning staff and no, I'm not a pen tester.
It's highly possible that someone recognised his face and just let him in or that he tailgated someone else.
It's depressingly common, when I say I had no clearance for I mean it too, these were sites where very specific security vetting and permissions were required and I've just walked in after flashing a pass, there were no checks or other ID apart from a very easily forgeable ID card (I could have made my own on a colour copier)
Weirdly the hardest places to gain access were some of the ones you'd think least likely to have good security practices and regiments in place.
As with many of these things, organisations tend to think that because they are not handling anything obviously critical to anyone else they not at very high risk.
What they always forget is that what their IT is handling is their own business, and that that is very critical to themselves. Looked at that way, one generally becomes a bit more careful.
The article makes it clear that this person used physical access. Fire the physical security director if you like, although you might want to figure out how they got access to the things they did. From the lack of detail, we don't know that this person had any system access at all. If they walked in and then smashed some important computers with a rock, that would work with the information the article gives us.
The guy was caught red-handed, so the physical security wasn’t all that bad. If he had legitimate physical access before, there are a lot of ways he could have disabled locks or copied keys he wasn’t supposed to have. So firing the head of security is a bit pointless, as any replacement may well be worse. At least the current security team have learned a valuable lesson about the dangers of inside sabotage.
I agree. The number of times where something bad justifies firing someone is much lower than the number of times someone suggests it. My problem was that, even if we decided that something egregious enough had happened, they named someone who, for all we know, did nothing wrong. At least physical security has an improvement to make; although they caught the person, they were probably tasked with not letting him in in the first place and did not succeed at doing that. However, it would still take something extreme for me to conclude that their failure to do so required firing somebody.
"At least the current security team have learned a valuable lesson about the dangers of inside sabotage."
And how they handle it should be enlightening, although we may never know. Odds are there will be a kneejerk reaction of some sort involving monitoring everything everyone does and such a tightening of security in general that everyone will suffer for it :-(
I think they probably already do. There apparently being no honour amongst those who make disputed claims of ownership...
There was a film I saw years ago, name long forgotten but I do remember a line I liked: a character being asked what they were in prison for, to which they answered "an error in judgement". I figure that would cover most of the prison population. There's a lot of hot-headed people out there.
Being freelance really requires a professional approach to everything including the fact that the contract might be terminated at any time; an approach which was clearly lacking. But sometimes the permies just look at the money and think "I could do that" and make the jump when they really shouldn't.
"The freelancer gained entry to an unauthorized area late last week to wreak havoc, the Metropolitan Police confirmed"
I would not be at all surprised if that phenomenon is more widespread than is reported with institutions and companies not wanting any publicity or reputational damage arising from a former empolyee's acts of vengeance.
Maybe the rogue IT bod also borked the CCTV system, so they wouldn't be able to catch the public nicking stuff from the exhibitions
Most likely. If they have exhibits in on loan (which is usually the case for temporary exhibitions), they will be under contract with the owners and insurers to ensure a certain level of security. If there are issues with the CCTV (and there were definitely issues with security!), it's probable that they can't - contractually - have those items on display until they've rectified the issue.
And, of course, here's a knock on effect with ticketed exhibitions. We made a trip to London - travel, hotels, etc. - for the Terracotta Army exhibition. As it was, the entry time was late night so if something like that had happened then the chances of getting a new time whilst we were there would have been negligible.
No doubt there were a good number of ticket holders who've also made a special trip and missed the event at the heart of it just because some pillock decides to commit professional suicide.
"I can't understand why they _had_ to close some exhibitions - surely 'just let the public in' would have worked."
Apart from the very good explanations already posted, and I've not been there in many years, but quite a number of museums have "interactive" displays where the information is on a mounted tablet device and/or have computerised guide books triggered by items/locations etc. Anyone been in recently enough to know if that is the case at the British Museum? Would it make a visit much more problematic if none of those displays/devices were working?
'Shut down' museum IT systems. Did he remove a vacuum tube?
At least they can grab an abacus from one of the displays and continue operations. Better than that theft from the Dutch museum.
I read this report in quite a different way from others
"The Met told us they were called to the institute on January 23 at approximately 2025 UTC to "reports that a man had entered the British Museum and caused damage to the museum's security and IT systems."
I don't think he has used ninja-knowledge, I think he has gotten liquored up after his last hour at work, forced his way back in, in so doing he has set off RedCare or equivalent.
The plod have arrived, probably struggled to get in at first, maybe went to see if some jewels had been liberated and finally found our hero in the server room where he had smashed up some equipment and/or disabled some systems at a basic level.
Exhibitions need to remain closed thereafter until the relevant equipment can be replaced/repowered in order that said jewels above can remain secure.
50 year old contractor - how/why had he been dismissed? Has his temperament done him down twice?
Role Summary
Administrator
Collection Projects and Resources
Full-time (41 hours per week)
Permanent
£28,144 per annum
Application deadline: 12pm (midday) on 6 February 2025
Key areas of responsibility:
Health and safety and fire safety compliance, including fire warden duties as appropriate.
So sounds to me they want, on the cheap, a fire safety officer but don't want to pay for that knowledge so you're just an "admin" instead. And/or forcing an admin to be a fire warden when that is supposed to be a voluntary job, you don't force people into it.
Which is odd as they are also hiring for a fire safety specialist who works with the senior fire safety manager. Then why are you forcing the admin to do fire stuff?
As always its a case of the higher up people getting all the money then penny pinching when it gets lower down the chain. No doubt their IT is underfunded. I've seen this before in other museums I did support for.
They'll now hire an expensive consultant to help them "secure our IT better". That consultant will recommend everything the IT team already did but was told "We can't afford that" but now the consultant has said it, "That is a great idea". Been there, seen that as well. Where a consultant asked us what we saw, how it could be made better etc. We told him, told him we'd already made these suggestions before. He took our ideas, palmed them off as his own, they said how amazing he was and started to implement some of those ideas. Shocking, demoralising and REALLY FUCKING ANNOYING.
My dad was in Trading Standards back when it was still called "Weights and Measures"; when I was a kid in the 70s he used to say that when spying on shops and factories suspected of dodgy dealings, if you wear a mid-range suit, with a white or brown overcoat over it if required for the disguise, wear glasses and carry a clipboard, it's amazing how often (nearly always) that nobody challenges you. A sort of pen testing, I guess. These days it'd probably require a warrant or something or be against the boss' human rights or whatever. AC as some of the folks involved (other than Dad) might still be with us.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
