Earlier today, I checked out the information leak that the now-infamous Anonymous collective released from their hacking into the BART system over the weekend in retaliation for what they perceived was a breach of civil rights by BART during a protest last Friday. I don't need to give you details since you can look those up, or an opinion on whether BART violated civil rights or not ... but I will give you an idea of the consequences of one of these little stunts.
As you can see, the site was released middle of the
night day, Sunday night (see image below).
Shortly thereafter, one of the people who had their information leaked, and just so happens to work here at HP, got this email:
Yes, this is your typical USPS delivery notification phishing email, and if you look closely at the link you'll realize it points to some site that's obviously not the USPS... but I digress.
Interestingly enough, I'm happy to put Karen into the "gets it" class of user. She's security aware, and does a good job of being paranoid. When I sent her an email about the fact that her information as exposed she was already well on top of the situation. In fact, she forwarded me the phishing email she was suspicious of so I can investigate it. First off, way to go Karen ...second off, I think this makes several interesting points.
What groups like Anonymous fail to see is the very real consequence of their actions. You've probably heard me say "Never let a valid cause get in the way of reckless actions" ...and this is a perfect example of that. In this data breach ...ask yourself who was hurt more. Was is BART? or was it the end-users who were almost immediately phished and attemptively compromised? Now ask yourself, how you can in good conscience support that kind of activity... honestly.
I know many of my colleagues in Information Security sympathize with the Anonymous cause, because it's not too difficult to do so. While I won't comment personally on how I feel about that - I can tell you I absolutely do not condone the reckless actions, and short-sighted activity that leads to more harm than good.
In the end, this does raise awareness for end-user education and that we should always be vigilant about what shows up in our mailbox. Users are the weakest link, and will continue to be... so how do you factor that into your IT Security and risk mitigation policy or framework? Are you prepared for your users to be phished of their corporate credentials? What about your customers? Keep in mind as hacktivism continues on its rampage of corporations and governments... you are the collateral damage. Stay vigilant, ever more so now that the war is on.
If you're like to go check to see if your information was leaked, go here: http://www.djmash.at/release/users.html