20,000 Christchurch hot pool visitors have had proof of identity stolen

Forums › Off topic › 20,000 Christchurch hot pool visitors have had proof of identity stolen

tehgerbil

1113 posts

Uber Geek
+1 received by user: 884

ID Verified

Subscriber

#299445 8-Sep-2022 11:05

https://www.stuff.co.nz/national/crime/129814013/computer-hacker-steals-sensitive-information-from-20000-christchurch-hot-pools-customers

Personal information about as many as 20,000 members of the public has been stolen in a data breach at Christchurch City Council’s He Puna Taimoana hot pools.

The material hacked includes copies of drivers' licences, passports, rates invoices, tenancy agreements, utility bills, and other council membership cards – all items provided by pool users as proof of residency.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2964628 8-Sep-2022 12:06

Cox’s letter said the council’s immediate priority has been to secure the “underlying vulnerability in the system” which let the breach happen. This has been done by installing a security update.

Why was an unpatched server accessible from the internet anyway? If they needed to store this data (they didn't, they could simply have flagged the individual in whatever system they are using as verified upon sighting valid proof of residency) then it is incumbent upon them to secure it properly. IMO this level of incompetence should be subject to prosecution.

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#2964922 9-Sep-2022 08:27

Too busy worrying about important things like cycle lanes and removing car parking spaces to be attending to mere IT security!

PolicyGuy

1821 posts

Uber Geek
+1 received by user: 1772

ID Verified

Lifetime subscriber

#2964928 9-Sep-2022 08:36

The Spinoff has a better insight into this:

https://thespinoff.co.nz/society/09-09-2022/no-the-christchurch-hot-pools-werent-hacked-the-council-just-messed-up

mrdrifter

589 posts

Ultimate Geek
+1 received by user: 294

ID Verified

Trusted

#2964935 9-Sep-2022 08:51

What really annoys me about this, is that in a professional capacity ~3 1/2 years ago I actually talked through these scenarios with the CCC when writing up a report and guidance document for them. I spent a number of sessions with them analysing and discussing their disparate systems that all rely on their own verification processes and the ongoing storage of this information well past the point it was required. While it's quite a sprawling and complicated range of systems, some of these risks were/are reasonably easy to mitigate at an individual level.

MikeAqua

8031 posts

Uber Geek
+1 received by user: 3820

#2964972 9-Sep-2022 10:37

A good example of: Don't store info you don't really need to. They needed to see info that verified customers were ChCh residents, then charge them the appropriate fee. That info didn't really need to be stored.

If you have low-trust culture you might want to audit cashiers, to ensure the discount is not being given to people it shouldn't. Personally I wouldn't bother auditing anything for a $4 discount. I would just trust my team.

Mike

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#2964981 9-Sep-2022 11:01

https://www.databreaches.net/computer-hacker-steals-sensitive-information-from-20000-christchurch-hot-pools-customers-no-thats-not-what-happened/
Turns out the christchurch city council effed up and left an azure blob storage instance world readable. They weren't "hacked" they were negligent.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2965075 9-Sep-2022 12:21

It also turns out Christchurch City Council has form for inappropriate storage of documents leading to disclosure.

Handle9

11927 posts

Uber Geek
+1 received by user: 9683

Trusted

Lifetime subscriber

#2965143 9-Sep-2022 15:37

MikeAqua:
If you have low-trust culture you might want to audit cashiers, to ensure the discount is not being given to people it shouldn't. Personally I wouldn't bother auditing anything for a $4 discount. I would just trust my team.

It’s a public entity so they need an audit trail otherwise clowns like the publicly funded taxpayers union start going off their head.

MikeAqua

8031 posts

Uber Geek
+1 received by user: 3820

#2966028 12-Sep-2022 09:42

Handle9:

It’s a public entity so they need an audit trail otherwise clowns like the publicly funded taxpayers union start going off their head.

It's public entity so they WANT an audit trial, because no-one has the intestinal fortitude to stand up to whoever is going off their head about something so immaterial and say: -

"the locals' discount is nickel and dime stuff, it's not worth auditing and we're not going to".

Even better call those critics out for what they're doing which is leveraging people's petty tribal inclinations.

An even wiser decision would have been not to have two prices in the first place. That w as probably a concession to some group of axe-grinders in the first place. I've been to those pools an out of towner. I didn't even know there was locals' price. It's great facility and we really enjoyed it. We bought lunch, had a couple of beers and some ice creams in New Brighton and did a little shopping too. If the council had gotten $8 less out of us it wouldn't have really mattered.

Mike