Hacking the famous
March 18, 2013
US First Lady Michelle Obama likes shopping at Banana Republic - at least that's what her credit card records show on the website exposed.su. The site has published personal information on the credit histories or social security numbers of Jay-Z, Beyonce, Hillary Clinton, US Vice President Joe Biden or former US Secretary of State Hillary Clinton.
There is, however, no way to tell how the site, which makes use of the .su suffix for the Soviet Union, got the information or even if anything published there is true. The data is not thought to stem from hacked mobile phones or other direct routes to the people in question. Instead, it seems to have come from compromised credit agencies. Some of the information is also freely available in public records. Titled "The Secret Files," exposed.su was not accessible when this article was published, but according to media reports, the site read: "If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve." Although the site garnered some interest for providing a view into the lives of the rich and famous and several investigations are now looking into how someone gained access to such private information, there have been no major scandals associated with the page to date.
If you're famous, you're a target
"The celebrity gossip is one thing, but what's much more important in my view is that people take sufficient protection from things like industrial espionage," said Constanze Kurz, a spokesperson for the European hacker association Chaos Computer Club.
Kurz added that politicians and business leaders tend be of particular interest for hackers.
"The Federal Office for Information Security attempts to protect officials' networks and top politicians," she said. "But politicians and business leaders are humans, too, and sometimes for the sake of convenience put information that should be protected on personal mobile phones."
It is fairly simple to access text messages and calls made from a normal mobile phone, she said. And while German Chancellor Angela Merkel is known for communicating by text messages, her phone is protected by encryption that is not installed on the average phone, Kurz said.
Individuals, regardless of their prominence, have no real power to control the data saved by third parties, which could have been the source of exposed.su's information, according to Udo Helmbrecht, director of the European Network and Information Security Agency. He drew a comparison between the IT world and real life: "As a customer with a bank account you also have no influence over whether your bank gets robbed or not. These things just happen."
Legal measures necessary
Kurz of the Chaos Computer Club, however, said it is up to politicians to take steps to protect such large amounts of information. "Companies that process this data do so under certain conditions, and in Germany, the conditions are set by lawmakers."
Laws should be enacted to require companies improve protections to their databases or face serious consequences, she said, adding that such measures would convince companies to invest more in protecting their networks. She also said companies should be required to tell authorities when their networks are attacked by hackers.
It's becoming increasingly evident to companies that they must prioritize storing sensitive information such that it is not compromised by inside sources. In the last year, for example, an employee at an IT service provider was accused of selling e-mails from the German Health Ministry to a pharmacy lobby group.