Booz Allen Hamilton Hack Reveals Military Email Addresses
A group of hackers who have taken credit for several high-profile data breaches in recent weeks said Monday it had done it again, this time infiltrating the network of a government contractor and releasing what it says are thousands of military email addresses.
Calling the hack "Military Meltdown Monday," the hacker group claimed to have penetrated a computer server of Booz Allen Hamilton and released a list of more than 90,000 military email addresses and encrypted passwords and deleted 4 GB of source code.
The hacker group works under the label "AntiSec," which is believed to consist of the hacker groups Anonymous and Lulz Security, or LulzSec, which disbanded in June. In recent weeks, members of AntiSec have claimed responsibility for, among other things, leaking personal data of Arizona law enforcement for its strict immigration policy and disabling websites for the city of Orlando for its policy against feeding the homeless without a license.
On its website, Booz Allen says it offers "robust cybersecurity solutions" and says that "cybersecurity cannot be treated as an afterthought." But the hackers said Monday it was easy to break into the firm's own network, which "basically had no security measures in place."
A spokesman for Booz Allen Hamilton said the firm's policy is not to comment on "specific threats or actions taken against our system."
The data breach comes three days after the hacker group claimed responsibility for breaking into the system of IRC Federal, a contractor for the Federal Bureau of Investigation.
It also comes two weeks after hackers breached a Gannett Co. database containing emails and passwords of subscribers to Defense News and other publications read by members of the U.S. government and military.
Hackers can use such emails to access government computer systems by engaging in targeted attacks called "spear phishing," or appearing to be a trusted sender and tricking recipients into opening malware, according to Chester Wisniewski, senior security adviser at the cybersecurity firm Sophos.
"Many of these successful hacks of government systems have occurred through people being directly phished," he said.
Hackers can "get a foothold on a computer and put a virus on it and that virus can collect all the passwords or documents they access," Wisniewski added. "It could open people up to more exposure to these types of attacks and make it easier for the bad guys to compromise their system."
AntiSec, however, was unlikely to have such intentions, Wisniewski said.
"Their job is just to embarrass people," he said.
The hacker group also said Monday that Anonymous has uncovered "all sorts of other shady practices" by Booz Allen, including potentially illegal surveillance systems, corruption between company and government officials and warrantless wiretapping.
"All of this, of course, taking place behind closed doors, free from any public knowledge or scrutiny," the group said, adding, "Thanks to the gross incompetence at Booz Allen Hamilton probably all military personnel of the U.S. will now have to change their passwords."