How Secret are these Secrets on WikiLeaks ?

The WikiLeaks release of 250,000 documents is, of course, big news –  it’s the largest number of published leaked secret documents ever.

There is much excitement about the content, understandably so. The US Administration is less excisted and is apparently concerned about the leaks with the following statements being made:

  • “Such disclosures puts at risk our diplomats, intelligence professionals, and people around the world who come to the United States for assistance in promoting democracy and open government”
  • “President Obama supports responsible, accountable, and open government at home and around the world, but this reckless and dangerous action runs counter to that goal.”
  • “place at risk the lives of countless innocent individuals
  • “place at risk on-going military operations,”
  • “place at risk on-going cooperation between countries.”

So, the US administration and  US Intelligence seem to be pretty concerned about the “risk”.

Clearly, such damaging material would be kept under incredibly tight security? They would probably take the following actions to minimize risk:

  • Partition the information – so only certain people could access certain information
    • For example, there is no need for all the Brazil analysts to access information on Italy.
  • Remove any network connections
    • For obvious reasons
  • Limit physical access
    • High security rooms, CCTV, armed guards, those fancy double key entry rooms you see in movies, etc, etc
  • ZERO ability to copy data.
    • Systems to prevent photography, printing, etc (obviously USB devices would be blocked

Errr, will no.

Those statements are probably true for critical intelligence, but these cables are NOT even Top Secret. They were just “Secret”, which is pretty low in the world of intelligence, in fact Top Secret is when intelligence circles really start to operate and there several levels above Top Secret.

The data that was stolen was copied from a centralized system, which around 3 million US military and US government workers had access to; from very junior levels upwards.

Much of the data was, according to the Guardian who are involved in leaking the material with WikiLeaks, copied to a CD! I.e – it was nothing more than a drag and drop exercise.

Hardly, high-tech and hardly highly protected data.

There is a staggering lack of security around these secret files. Probably because they contain opinions rather than hard intelligence, source names or signal frequencies.

Given the numerous cases of spying and espionage (see a small sample below, more available here)  its  likely  these cables would already have been seen by other intelligence agencies.

Examples of Spying

It highly unlikely that all cases of spying are discovered and made public.

Given the alleged “risks” this data poses, with “countless lives at risk”  there was little security around the actual data. In fact it sounds like its harder to get onto a plane with a 500 ml bottle of water than get hold of the “secret” cables.

The 250,000 leaked cables maybe the biggest leak ever published, but it’s probably not the biggest leak ever.


Data Theft – T-Mobile 1st Conviction

A former T-Mobile employee has admitted his role in the illegal sale of massive volumes of customer data to marketers.

David Turley, of Birmingham, 39, pleaded guilty to 18 charges under section 55 of the Data Protection Act at Chester Crown Court Un July 2010. A second former T-Mobile employee, Darren Hames, of Staffordshire, 38, will enter his pleas in relation to his alleged role in the theft on 23 November 2010

The illegal sale of millions of subscriber records was revealed by the Information Commissioner Christopher Graham last November, as part of a campaign for tougher sentences for data thieves.

The T-Mobile data was used to cold call and poach subscribers who were coming to the end of their contracts.

The Register

Data Theft – T Mobile (Nov 2009)

Personal details of thousands of mobile phone customers have been stolen and sold to rival firms in the biggest data breach of its kind, the government’s privacy watchdog said today.

An employee of phone operator T-Mobile sold the customer records, including details of when contracts expired. The millions of items of information were sold on for “substantial sums”, the Information Commissioner’s Office (ICO) said. Rival networks and mobile phone retailers then tried to lure away T-Mobile customers by “cold calling”.



Data Theft – T-Mobile 2nd Conviction

Darren Hames aged 38, from Staffordshire, who used to work for T-Mobile UK pleaded guilty at Warrington Crown Court to having sold confidential customer information from the telecom operator to third parties.

Darren Hames was found guilty under Section 55 of the Data Protection Act. Sentancing will not occur until the New Year (2011). The first man convicted in relation to this incident was David Turley, of Birmingham, 39,

The ICO statement on Hames

Data Theft: Payout

Following the theft of credit card details in 2008 from TJ Maxx, TJ Maxx has been forced to payout a $9.75 million fine in a settlement with dozens of states in the US.  The scale of this fine is huge, especialyl consdiering the data was not lost, but stolen, and people have been convicted for it.

“The decision to enter into this settlement reflects TJX’s desire to concentrate on its core business without distraction and to promote cybersecurity measures that will benefit all consumers,” the company said in a statement.

TJX said the settlement’s costs are accounted for in a 2007 reserve it created.

Data Theft: RAF

It has just been reported that that the RAF data theft  in September 2008, was far worse than original reported and includes of drug use, debts and affairs about RAF officers, which is not  just embarrassing but could also be used to blackmail people.

To compound the problem this part of the data loss has only just been admitted.

According an “unnamed” Wing Commander who contacted the BBC the data theft not only include the usual information that we expect the government to lose, names, addresses, and bank details, but also “”details of criminal convictions, investigations, precise details of debt, medical conditions, drug abuse, use of prostitutes, extra-marital affairs including the names of third parties“.

This information would be there as it was part of the vetting procedure for those who work in classified areas. During the vetting procedures questions are asked about an individual’s personal life, so that detailed background checks can be made, the answers to those questions were stored on 500 files, it is these 500 files which were included in the theft of the USB drives.

Such detailed information would be excellent use for those who wish to threaten and/or blackmail RAF officers.  The RAF did not inform parliament, or the ICO, that such a data loss/data theft has occurred or possibly the police, though this not clear at this point.

In its typically bland statement the MoD stated that “All individuals identified as being at risk received personal one-on-one interviews to alert them to the loss of the data, to discuss potential threats and to provide them with advice on mitigating action,” the statement says….There is no evidence to suggest that the information held on the hard drive… has been targeted by criminal or hostile elements.”

While the statement does not reveal much it does tell us that the data was not encrypted, and thatthe RAF does not think a targeted theft of USB drives is criminal activity.

Again, the question has to be asked: If secret information about those who handle top secret information, from AWACs communications to battle plans for wars, is not encrypted and protected, what do they encrypt?

This is not the first time the MoD has lost data, nor failed to use encryption.

Data Theft: Data Theft Increases with predictions

Following KPMG’s predictions in early 2009 KPMG has worked with Mischon de Reya, the well known law firm, to create another report into data theft, by employees.

The statistics released include:

  • 70% of corporate data theft cases the perpetrators were leaving an organization to go to a competitor.
  • 14% involved accounts information, business plans or forecasts.
  • Those caught stealing are most likely to justify their actions by saying the competitor already knew about the information (60%) or that the data was in the public domain (30%).
  • 22% of cases surveyed involved women stealing data
  • Since 2006 the number of cases of this nature handled by Mishcon de Reya has more than doubled from 20 in 2006 to 45 last year.

Dan Morrison, pictured inset, a partner in Mishcon de Reya’s stated that

Dan Morrison Partner at Mischcon

Dan Morrison Partner at Mischcon

“The stolen data has often limited shelf life and employees realise they have to use the information quickly or they will lose their competitive advantage…Therefore when data theft is discovered or suspected, swift action is needed. At Mishcon de Reya the average time taken in a case of this nature from instruction to legal relief, whether in the form of restraining injunction, undertakings, damages or apologies, was just over 2.5 weeks.

Interestingly a few years ago Mischon was quite close to the other side of a adata theft case,