Coming Clean After A Hack
A hacker claims to have breached the Argentinian government’s network and stolen ID card details for every person in the country. The data is now being sold on the underground.
The agency that holds the data, RENAPER or Registro Nacional de las Personas, is translated as theĀ National Registry of Persons.
The agency is tasked with creating national ID cards for citizens and the data behind the ID cards is used by most other agencies to validate a citizen’s request for services.
But here is where things get messy.
The hacker posted ID card photos and personal details for 44 celebrities on Twitter – including that of the President.
The hacker also published an ad on a well-known hacking board offering to look up the details of ANY Argentinian.
Three days later the government concocted a story that says they discovered a VPN account was used to query the RENAPER database for 19 photos at the exact same time as they were published on Twitter.
Sounds convenient to me. But if the hacker posted 44 names and the VPN user queried 19 names – where did the rest of the data come from? And, at the exact moment? Shouldn’t there be some delay between stealing the data and using it. At least a little delay. They went out of their way to say at the EXACT moment.
When the media contacted the hacker after the government published their likely made up story, the hacker offered to look up the national ID number of any citizen of the reporter’s choosing.
The hacker says that he will continue to sell the data to interested buyers and that he is probably going to publish the data of 1 to 2 million citizens (out of 45 million) in a couple of days.
The hacker didn’t deny that the VPN leak was real. Possible point of data extraction.
I can’t guarantee that the government is lying and the hacker is telling the truth, but sure seems that way.
If the hacker has all of the data needed to make fake ID cards for every citizen, that is kind of a problem for the government.
It is also a problem for citizens if their card is used to commit a crime.
BUT, it is also an interesting defense – it wasn’t me, it could have been anyone since the data is for sale on the underground web.
The government may be trying to figure out what to do. Reissuing – SECURELY – 45 million ID cards quickly is going to be a challenge. What do they do in the mean time? Are they still trying to figure out whether the data was stolen?
This is a challenge for everyone who gets hacked – government or otherwise.
I think you have to tell the truth. The truth will come out in the end and if you are caught fibbing, you look worse than if you just fessed up in the first place.
For Argentina – a big mess. For everyone else – an opportunity to figure out your data breach crisis communications strategy. Credit: The Record