(not) Safe digest: Tesla sabotage, hospital extortionist and “shower seller”

Every month we collect classic and non-trivial information security cases. Our attention is drawn to stories of data breaches, scams, sabotage – any incidents of which insiders are responsible.

Some cases are funny, some outrageous, but all are instructive. Some, because they happen “out of the blue,” because of the prohibitively negligent attitude to safety (Trump, you are the best!) Others, because they talk about complex multi-moves.

Since October we have decided to share our digest here on Habr.

They have

Tesla stalled

What happened: At the automaker’s factory in Fremont (California, USA) for several hours stopped Production Line. IT and cybersecurity services soon followed the trail of the attacker.

Who is guilty: It turned out that the work was sabotaged by one of the employees. He also tried to cover up his tracks by blaming a colleague for the crime and destroying the company’s computer. The employee was fired. And although the company did not disclose the details of the incident, there is the notorious “employee revenge”, which Tesla has faced not for the first time. For example, in 2018, Elon Musk accused sabotaged by former company engineer Martin Tripp.

Nothing is sacred

What happened: From St. Michael’s Hospital in Toronto (Canada) leaked personal information about 150 patients. Their full names, medical history, diagnoses, treatment plans and prescribed medications fell into the wrong hands.

Who is guilty: Clinical records from the hospital were taken out by an employee whose work included decoding of medical appointments and drawing up reports. The attacker tried to blackmail the hospital management, demanding a ransom for the stolen copies of documents. The police were involved. Now the proceedings are underway. The hospital assured that it had “improved methods of protecting information” and discussed the incident with the staff.

# Lattice – challenge

What happened: Open access in the USA hit transcripts of telephone conversations between prisoners and their loved ones, as well as confidential calls to lawyers. According to information security researchers, a database with thousands of records has been online since at least April.

Who is guilty: One of the contractors for HomeWAV, a telecom company that operates prisons throughout the United States, made a mistake. The control panel of one of the databases was not password protected. Anyone could view and read call logs and transcripts of prisoners’ conversations with friends and family.

HomeWAV has publicly acknowledged the incident. Although the question of why she generally recorded and transcribed conversations protected by lawyer’s secrecy remained unanswered.

“Defend yourself, Mr. President! “

What happened: Twitter account of US President Donald Trump once again hacked… The incident eloquently highlighted the importance of strong passwords and highlighted security gaps in the social network.

Who is guilty: The attacker turned out to be a hacker from the Netherlands, Victor Gevers. He said that he got access to the account from the fifth trial, and after four unsuccessful attempts, the system did not block him. The account “opened” simply – “maga2020!” (Trump’s campaign slogan Make America Great Again 2020!). Surprisingly, there was no two-factor authentication connected to it.

Gevers immediately reported the successful hacking to the CIA, the FBI, the Trump team and Twitter. By the way, the Dutchman was one of three hackers who hacked into the account of an American politician in 2016.

We have

Soul Seller

What happened: From the Novosibirsk police department for two years poured information about the deceased and their relatives.

Who is guilty: The culprit turned out to be a police officer who passed the data on to the owner of the funeral business (Classic story!). For information about one deceased, a policeman received 10 thousand rubles. The investigation proved 12 facts of transfer of such information, that is, the total “gain” from data trading amounted to 120 thousand rubles. A criminal case was initiated.

“Krot” – oil worker

What happened: From JSC “Transneft-Diascan” carried out documents constituting a commercial secret. The prime cost of the developments described in them is 2 billion rubles.

Who is guilty: The former leader is suspected of a crime. He quit the company 1.5 years ago and took with him the design documentation for the instruments for carrying out diagnostic work at the oil industry facilities. Then the ex-employee opened a company in the Moscow region and started looking for buyers of the stolen documents. The newly-made businessman asked for 400 million rubles for the development of Transneft.

The law enforcement officers and the FSB were investigating the case together with the security service of Transneft. A case was initiated under the article on illegal disclosure of commercial secrets.

Double agent

What happened: And again the classic. In Volgograd with a mobile operator kidnapped client base, which stored personal data of 5 thousand subscribers.

Who is guilty: The culprit of the leak turned out to be a cunning manager who took a job in two competing companies. He decided to increase sales in one of them at the expense of other people’s clients. And I downloaded the competitor’s database to my personal computer. Now the man faces up to 6 years in prison for theft of commercial secrets.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *