LulzSec in their recent #AntiSec triad have issued a statement stating that they have access to 2011 Census data of UK Citizens. PasteBin Link.
Some of their Tweets are self explanatory:
Securing Citizen’s Data with Law is the biggest mistake any organization can ever commit. Sounds Confusing ? Follow this link to read about how 2011.census.uk.gov secures the data, and for those who would want to stay on this website, the NEW Age Security Guidelines by 2011.census.uk.gov are presented here.
How will you protect my info?
We want you to feel safe about sharing personal information with us.
The Office for National Statistics (ONS) is an internationally trusted provider of statistical information and we are responsible for the security of your personal information:
Personal census information is protected by law
- All census staff sign and are bound by an individual commitment to confidentiality
- We will not share your personal information: census questionnaires are stored on microfiche and kept confidential for 100 years
- All our systems and processes are built with very strong security safeguards
- We use your information to produce and analyse numbers of people
- All census questionnaires are processed in the UK
To ensure the confidentiality of your personal information, all our systems, processes, staff and contractors are bound by:
- Data Protection Act 1998
- Census Act 1920
- Statistics and Registration Service Act 2007 (SRSA)
So effectively what this all means is that firewalls, application level firewalls (www.greensql.net) etc. are optional and probably not required cause the valuable data is already protected by LAW.
PPS: SQLi – How is it done ? here is an excellent pastebin link for you to know about SQLi – how it is all done.
Next Blog – Data Security By Government Organization.
At the time of writing this blog it was still unknown whether LulzSec have owned the servers or done an SQLi or caught the contractor for census unawares or WHAT?.
It is also unknown whether Census 2011 DB resides on these servers. Awaiting for their side of the lulz.
UPDATE: The Office of National Statistics confirms it is investigating the claims but says there is no evidence of a security breach as yet.
We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this. The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have noevidence to suggest that any such compromise has occurred.
As per the Modus Operandi of LulzSec – now that the agency has confirmed that nothing has been breached , we can expect a disclosure (IF there was a breach) – subject to certain developments (read – http://bit.ly/lOc5Ta )