No, the Christchurch hot pools weren’t ‘hacked’ – the council just messed up

It’s much easier to claim you’ve been hacked than to ‘fess up to failing to protect customer data, writes Dylan Reeve.

If there’s one important thing to know about modern computing, it’s probably this: security is hard.

In some ways internet security is easier now than it’s ever been – we have built-in antivirus; our home internet connections are usually pretty safely firewalled; most of the big websites we use have entire departments filled with well-trained geeks keeping things secure.

But also we’re in a time where everything is online. Hell, some car companies are using our ubiquitous always-online reality to turn things like heated seats into monthly subscriptions.

While getting stuff on to the internet is easier now than ever before, it’s also, therefore, easier to screw that up somehow. And that appears to be what happened to Christchurch City Council’s He Puna Taimoana hot pools.

The Stuff article about this issue, headlined ‘Computer hacker steals sensitive information from 20,000 Christchurch hot pools customers’, illustrates how the facts can be obfuscated when information security is covered those who – through no fault of their own – lack the specialist knowledge to fully understand what’s going on.

A better headline for their article would have been ‘Christchurch City Council organization leaves sensitive information from 20,000 customers unprotected online’.

Obligatory hacking stock photograph

I’ve written before about organizations crying “hacking” when they make mistakes that see their information shared more widely than they intended, and headlines about this latest situation, based on public statements from the council, did just that.

For some reason, it would appear the council-owned pools had been using a system that puts important files in “the cloud” – the nebulous term we use for stuff we store on the internet in a way we don’t really understand – and due to, presumably, some type of configuration error, more than 20,000 files (some containing sensitive personal information like passport details) were accessible to anyone who knew, or could figure out, where to look.

Why, exactly, was a council swimming pool storing sensitive personal data about their customers? Well it’s not immediately clear exactly what data was being stored online, but being a council facility, the complex offers discounted rates to local residents, for which proof of address and identity may be required. Part of this process can be completed online through the pool’s website, and requires the submission of a “proof of address”.

We live in a world of digital technology, and cheap storage, so it is often easy for organizations, when designing systems like this, to simply say, “oh, we’ll just store it all in case we need it later”. So, rather than just seeing the records in question, they’ll take a copy and hold on to them in case they want to double check later. Under New Zealand privacy law, organizations are only allowed to collect information they need for a lawful purpose, and they have an obligation to protect the information they collect. But many don’t think about whether they need to actually store all that they collect beyond the very moment it’s needed.

Spoiler: this data wasn’t ‘hacked’ either

In general, storing stuff online is easy and cheap now. You can sign up for an account with Microsoft Azure, Amazon Web Services or Google Cloud in just minutes, and there are countless ways to integrate existing software tools with those services. This ease of setup is also an ease of screw-up, however, and it’s simple to make a configuration mistake that might open your data to anyone who stumbles upon it.

But we also live in a time where irresponsibly handling customer data is frowned upon so, like many before them, the council decided to frame their mistake in this instance as the malicious action of someone else.

The Stuff article about the incident describes the event as “hacking” which is certainly how the council would like the situation understood, and says, in the opening paragraph, “information about as many as 20,000 members of the public has been stolen in a data breach”.

But a detailed post from US data breach news website, DataBreaches.net, which first notified the council about the issue, describes the situation very differently, explaining that a researcher had stumbled upon the unsecured “blob” (a general file storage container) on Microsoft’s Azure cloud service and attempted to notify the council without response before reaching out to DataBreaches.

In this instance the council had been relying on “security by obscurity”, essentially the idea that something is secure just by being hard to find – sort of like putting your life savings under a mattress, instead of a safe, on the grounds that no one is likely to look there.

Unfortunately for the council (and literally tens of thousands of other organizations worldwide which have made the same mistake), the contents of their unsecured storage had been discovered and indexed by at least some specialist search engines online that are used by both white hat (ethical ) and black hat (criminal) hackers for research and exploitation.

The initial researcher, and subsequently DataBreaches, downloaded only enough data from the cloud service to understand what was stored there and by whom, and then made good faith efforts to contact those responsible for the issue so they could correct it.

However in his email to affected customers, Christchurch City Council head of sport and recreation, Nigel Cox, said that a third party, which he accurately described as a “white-hat hacker” had “accessed and illegally downloaded files stored on the He Puna Taimoana cloud server”, suggesting a level of illicit activity that simply wasn’t present, and also subtly avoiding the question of the council’s culpability for failing to secure the data.

The article about the issue from DataBreaches concludes with this summary:

The council should have disclosed this incident by saying, “We screwed up and didn’t lock down all the files we had with your personal information. We’re sorry for that and embarrassed. Thankfully, a kind and ethical researcher discovered our mistake, and when they couldn’t reach us to alert us, they asked a journalist they trusted to make the notification. The researcher and their employer destroyed all the data they had downloaded.”

Organizations of all sizes need to take the time to understand the implications of the technologies they’re relying on, and when they (almost inevitably) screw something up, they should be up front with their customers and the public about what happened. Similarly, journalists who are covering the complex world of IT and information security should take the time to check with subject matter experts before taking an organization’s word for it that they were “hacked” – because most of them would much prefer that framing over “screwed up”.

Leave a Comment