Local council’s VPN sold on eBay for 99p

1 Oct 2008

“It could happen to anyone” is the advice of a technology security expert following news that a VPN belonging to a local authority in the UK was sold on eBay for 99 pence.

It emerged in recent days that a security expert called Andrew Mason from Random Storm bought a piece of network hardware on eBay for 99p. After switching the equipment on, he found he was able to access the supposedly secure network of Kirklees Council.

This, said Ciaran Farrell, business development manager with Kroll Ontrack in Ireland, has serious implications and exposes a hole in the understanding of organisations when handling and disposing of valuable data and equipment.

“I suspect that people are scratching their heads wondering how this happened given strict security policies at Kirklees Council,” Farrell said. “Awareness of the threats to data is generally high, but the continuing stream of breaches demonstrates that there is no substitute for the best-practice of implementing and adhering to some basic principles of data security.  

Farrell warned that every organisation needs to have truly holistic data security policies and procedures in place. This involves creating a process that monitors the lifecycle of all hardware, not just disk drives. In this instance, it may be the case that because the VPN network was not immediately recognisable as a hard drive, strict security procedures may have been overlooked.

“A truly holistic procedure would involve an audit trail to track and trace every single item from installation to destruction, hence overcoming the possibility of a piece of hardware ‘slipping through the net.’ This practice also overcomes the possibility of human error in mislaying a piece of equipment. Most organisations know exactly where each piece of equipment is when in use, and the same must also be true with end-of-life equipment.”

Farrell said the Kirklees breach could have also been prevented by wiping the data completely using a degausser, or even destroying the device itself.

“A breach such as this can damage an organisations reputation, incur hefty fines or even result in individual redundancies.

“This message is not glamorous, but as in the detail of most procedures, adherence prevents problems,” Farrell said.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years