Breach, TDR

Personal info on six million Chileans posted

May 12, 2008
According to various news reports, a hacker has exposed the personal information of about six million Chilean people.

The hacker, known as Anonymous Coward, is reported to have penetrated government and military servers to steal data, including ID card numbers, addresses, telephone numbers, emails and academic records.

According to the Chilean newspaper El Mercurio, the hacker committed the breach in order "to demonstrate how poorly protected data in Chile is."

Gordon Rapkin, president and CEO of Stamford, Conn.-based Protegrity, an international data security company, said the data was posted on two websites (IT site FayerWayer and community site ElAntro) after the hacker stole the data from sites run by the state-owned telco, an electoral agency and the Education Ministry. The sensitive data was available for around two hours over the weekend before authorities stepped in, he said.

"Chile may seem far away to many computer users, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant for Sophos. "No matter how moral or ethical the hacker's motives, this prank was irresponsible and has left almost 40 percent of Chile's population at risk of identity theft."

Sophos experts note that although the scale of the Chilean breach was much smaller than a similar incident in Nov. 2007, when the details of some 25 million people in the U.K. –- about half of the country's population -– was lost after two computer disks being transported between government departments went missing, the fact that the information in Chile was posted online, however briefly, increases those victims' risk of identity fraud.

Sophos's Cluley told SCMagazineUS.com Monday that the good news is that it appears the authorities have moved swiftly to take down the information on the websites to which it was posted.

"Of course, there's nothing to say that the information won't be posted again to another site -- either by the original hacker or by someone else who grabbed a copy of the information during the 'several hours' it was available," he said.

Further good news, said Cluley, is that it appears bank account information was not stolen.

"However, details of names, addresses, telephone numbers, social and educational information was taken -- and these may provide valuable stepping stones for hackers who wish to commit identity theft."

People possibly affected by this data breach should keep their eyes peeled for symptoms that might suggest they are about to have their identity stolen, said Cluley, adding that examples of what to look for, include:

  • You stop receiving bills or other mail -- this could suggest that an identity thief has given a different address in place of your own.
  • You start receiving credit cards for which you did not apply,
  • You are denied credit for no obvious reason.
  • You receive calls from debt collectors about items you did not purchase.
  • When checking your credit history, you see items you do not recognize.
  • Your bank statements include withdrawals, payments and money transfers for which you cannot account.

Meanwhile, Cluley suggests that organizations that store information about members of the public must make sure they have strong defenses in place to reduce the risk of a data breach.

"That can include having the latest security patches, anti-virus software, network permissions and policy infrastructure, network access control, and so forth," he said.

prestitial ad