Anonymous victimized transit passengers who ride San Francisco's BART rail system by dumping personal information after a successful SQL injection attack.
Passengers who ride the San
Francisco regional subway system are the latest innocent victims, as hacktivist
collective Anonymous stole and released sensitive information belonging to more
than 2,000 riders.
On Aug. 14, the loose-knit
group of hackers breached MyBart.org, the Website commuters use to get
information from the Bay Area Rapid Transit system. The names, street and email
addresses and site passwords for about 2,400 people who'd registered with the
Website were dumped on various torrent sites. Some database dumps also included
phone numbers for many users. The attackers defaced the Website with Guy Fawkes
The attack was in protest of
two fatal shootings by the transit police and the regional subway authority's
decision to temporarily suspend cell phone service in its stations, Anonymous
wrote in a note. BART officials disconnected cellular antennas used at several
San Francisco stations on Aug. 11 to disrupt plans for a demonstration
protesting a fatal shooting of a passenger accused of throwing a knife at a
transit officer July 3. No protest actually took place during the time the
cellular link was down.
"A civil disturbance
during commute times at busy downtown San Francisco stations could lead to
platform overcrowding and unsafe conditions for BART customers, employees and
demonstrators," BART officials
said in an Aug. 12 statement. The suspension was for only a few hours and did
not affect cellular service outside the stations, the officials said.
An earlier protest on July
11 had disrupted BART service in the evening. Organizers planned to use mobile
devices to get the word out about the Aug. 11 demonstration and not with a
"public announcement beforehand" to maintain the "element of
local-news site SFist
The data breach victims had
nothing to do with the decision to suspend the services or with the fatal
shooting. "It is puzzling to me how exposing thousands of innocent
people's personal information hurts BART more than it hurts transit users,"
Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked
"It's just common sense
that I shouldn't be the target," one of the victims whose details were included
in the data dump told The Register,
adding that he'd received a "creepy" phone call from a person
claiming to be a member of Anonymous who uttered "foul language, hushed
tones and threats."
Attackers exploited a
SQL-injection vulnerability on the site, according to the Anonymous note. In
this kind of attack, database commands are entered inside a form, such as a
forum post, comment box or even log-in box, and if the developers didn't enter
proper error-handling methods in the code, the form would return data from the
"virtually no security," according to the note. Adding that any
"8-year-old with a Internet connection" could have breached the site,
Anonymous pointed out that none of the information, including passwords, was
"It's time for
organizations that store customer data to step up and take responsibility for
the information they have been trusted with," Josh Shaul, CTO of
Application Security, told eWEEK.
the database contains any sensitive information, then organizations
"simply must" directly protect the databases and not rely on
perimeter defenses such as corporate firewalls and antivirus systems, Shaul
Consumers need to start
demanding that businesses they work with have better information security
practices. "If the market doesn't punish those who lose our data with
complaints and lost customers, this flood of successful attacks is not going to
stop," Shaul said.
Anonymous and similar groups
of protest-hackers have breached a number of major government-related Websites
recently, such as the information from 70 law enforcement agencies around the
Anonymous released some
information on follow-up OpBART attacks, including a campaign to bombard email
addresses and fax numbers with messages, knocking the site offline, and a
"physical protest" at the Civic Center Bart Station.
BART officials said it was
preparing for further attacks from Anonymous but stressed that the Web
infrastructure was separate from any networks running BART transportation
services, so train service would not be affected by any further incidents.