Published Date: 2017-12-14
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving Grant West obtaining personal data of 165,000 Just Eat users happened between July and December 2015 as mentioned in Article [66206]. |
| System | The software failure incident described in the article did not involve a failure of a specific system or software component. Instead, it was a case of a cyber criminal, Grant West, conducting phishing scams and hacking activities to obtain personal data of users from various companies, including Just Eat, Sainsbury's, Groupon, Uber, T-Mobile, and Argos. The incident involved the compromise of user accounts through stolen usernames and passwords, as well as the use of 'brute force' attacks against multiple websites to obtain personal information. Therefore, the failure was not due to a specific system or software component malfunctioning, but rather a result of criminal activities targeting user data. |
| Responsible Organization | 1. Grant West, also known as 'Courvoisier', was responsible for causing the software failure incident by hacking into various websites, including Just Eat, and obtaining personal data of users [66206]. |
| Impacted Organization | 1. Just Eat customers [66206] |
| Software Causes | 1. Brute force attacks using specialist software to obtain personal information from 17 different websites [66206] |
| Non-software Causes | 1. Grant West used usernames and passwords stolen from third parties to access customer accounts, indicating a lack of strong authentication measures [66206]. 2. Grant West engaged in illegal activities such as selling cannabis, which could have distracted him from focusing solely on the cyber attacks [66206]. 3. Grant West's criminal behavior, including possession and supply of cannabis, could have led to his eventual arrest and exposure of the cyber attacks [66206]. |
| Impacts | 1. Personal details of 165,000 Just Eat customers were compromised and put up for sale on the dark web, leading to potential identity theft and fraud [66206]. 2. Just Eat incurred around £210,000 in mitigation costs as a result of the scam [66206]. 3. Grant West conducted similar attacks on other companies like Sainsbury's, Groupon, Uber, T-Mobile, and Argos, potentially affecting their customers as well [66206]. 4. West's hacking activities involved launching 'brute force' attacks against 17 different websites to obtain personal information, indicating a widespread impact on various organizations [66206]. 5. The incident led to the discovery of around £25,000 in cash, along with hundreds of grams of cannabis, during the police search of West's property, suggesting illegal activities beyond the cyber fraud [66206]. |
| Preventions | 1. Implementing multi-factor authentication for user accounts could have prevented unauthorized access even if usernames and passwords were stolen [66206]. 2. Regularly updating and patching software systems to fix vulnerabilities that could be exploited by hackers [66206]. 3. Conducting regular security audits and penetration testing to identify and address potential weaknesses in the system [66206]. 4. Educating users about the importance of strong, unique passwords and the risks of using the same password across multiple accounts [66206]. |
| Fixes | 1. Implementing stronger password policies and multi-factor authentication to prevent unauthorized access to customer accounts [66206]. 2. Conducting regular security audits and vulnerability assessments to identify and patch potential weaknesses in the system [66206]. 3. Enhancing employee training on cybersecurity best practices to prevent social engineering attacks and phishing scams [66206]. 4. Monitoring and detecting unusual activities on the network to identify potential breaches or unauthorized access attempts [66206]. 5. Enhancing encryption protocols for sensitive customer data to prevent unauthorized access in case of a breach [66206]. | References | 1. Grant West 2. Just Eat 3. Southwark Crown Court 4. Various companies targeted in the cyber attacks such as Sainsbury's, Groupon, Uber, T-Mobile, Argos, Asda, Ladbrokes, Coral, Nectar 5. Dark web 6. Bitcoin 7. Police 8. Just Eat spokesman 9. Judge Joanna Korner QC 10. Anna Mackenzie, West's barrister [66206] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to Just Eat happened again at multiple organizations. Grant West, the cyber criminal, targeted other firms including Sainsbury's, Groupon, Uber, T-Mobile, and Argos with similar attacks after his activities with Just Eat [66206]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the article where Grant West, a cyber criminal, used usernames and passwords stolen from third parties to access customer accounts of Just Eat and other firms. This indicates a failure in the design of the authentication and security systems that allowed unauthorized access [66206]. (b) The software failure incident related to the operation phase is evident in the article where Grant West conducted 'brute force' attacks against 17 different websites using specialist software to obtain personal information. This highlights a failure in the operation or misuse of the systems targeted by West, leading to data breaches and security vulnerabilities [66206]. |
| Boundary (Internal/External) | within_system | (a) within_system: The software failure incident in this case was primarily within the system. Grant West, the cyber criminal, used usernames and passwords stolen from third parties to access customer accounts on Just Eat and other websites. He launched 'brute force' attacks against 17 different websites using specialist software to obtain personal information [66206]. This indicates that the failure originated from within the system due to vulnerabilities in the authentication and security mechanisms of the targeted websites. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident in this case was primarily due to non-human actions, specifically a cyber criminal named Grant West who used usernames and passwords stolen from third parties to access customer accounts on various websites, including Just Eat [66206]. This unauthorized access led to the theft of personal data of 165,000 users over a five-month period. (b) Human actions also played a significant role in this software failure incident. Grant West, the perpetrator, engaged in various criminal activities such as launching 'brute force' attacks against websites using specialist software, selling cannabis online, and conducting illicit online trade using Bitcoins [66206]. Additionally, West's actions led to financial losses for Just Eat and other companies targeted in the attacks. |
| Dimension (Hardware/Software) | software | (a) The software failure incident did not occur due to hardware issues. Instead, it was primarily driven by software-related factors such as cybercriminal activities, hacking, phishing scams, and computer hacking attempts using specialist software [66206]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The objective of the software failure incident was malicious, as Grant West, a cyber criminal, intentionally accessed personal data of 165,000 Just Eat users through usernames and passwords stolen from third parties for sale on the dark web for use in a 'phishing' scam. He used specialist software to launch 'brute force' attacks against websites to obtain personal information and engaged in conspiracy to defraud Just Eat and its customers [66206]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident related to poor_decisions: - The software failure incident in this case was not primarily due to poor decisions but rather a deliberate criminal act by Grant West, who engaged in cybercrime activities to obtain personal data of Just Eat users and other companies through hacking and phishing scams [66206]. |
| Capability (Incompetence/Accidental) | accidental | (a) The software failure incident in this case was not directly attributed to development incompetence. Instead, it was primarily a result of criminal activities by Grant West, who engaged in hacking and cybercrime activities to obtain personal data of Just Eat users and other individuals [66206]. (b) The software failure incident can be categorized as accidental in the sense that the breach and data theft were not intentional actions by the software or the legitimate users of the system. Grant West's actions, including hacking, phishing, and selling personal data, were deliberate criminal activities rather than accidental software failures [66206]. |
| Duration | temporary | The software failure incident described in the article is temporary. Grant West, the cyber criminal, engaged in a phishing scam by accessing customer accounts using stolen usernames and passwords over a five-month period between July and December 2015 [66206]. This indicates that the failure was due to contributing factors introduced by certain circumstances (the actions of the cyber criminal) but not all circumstances. |
| Behaviour | omission, value, other | (a) crash: The software failure incident did not involve a crash where the system loses state and does not perform any of its intended functions [66206]. (b) omission: The incident involved the omission of performing intended functions as the cyber criminal, Grant West, accessed customer accounts using stolen usernames and passwords, leading to a phishing scam affecting Just Eat customers [66206]. (c) timing: There is no indication in the article that the software failure incident was related to timing issues [66206]. (d) value: The incident involved the system performing its intended functions incorrectly as personal data of Just Eat users was accessed and used for fraudulent activities [66206]. (e) byzantine: The software failure incident did not exhibit byzantine behavior with inconsistent responses and interactions [66206]. (f) other: The software failure incident involved the system being compromised by a cyber criminal who used stolen credentials to access customer accounts, leading to a phishing scam and fraudulent activities [66206]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving Grant West resulted in significant financial consequences for Just Eat and its customers. Grant West, a cyber criminal, accessed personal details of 165,000 Just Eat customers and attempted to sell this information on the dark web for use in phishing scams. Just Eat incurred around £210,000 in mitigation costs as a result of this incident. Additionally, West targeted other companies such as Sainsbury's, Groupon, Uber, T-Mobile, and Argos, among others, with similar attacks, leading to potential financial losses for these firms as well [66206]. |
| Domain | information | (a) The failed system was related to the information industry as it involved the personal data of Just Eat customers being compromised and sold on the dark web for phishing scams [66206]. (b) The incident did not directly involve transportation services. (c) The incident did not directly involve natural resources extraction. (d) The incident did not directly involve sales transactions, although the compromised data could potentially be used for fraudulent transactions. (e) The incident did not directly involve construction activities. (f) The incident did not directly involve manufacturing processes. (g) The incident did not directly involve utilities services. (h) The incident did not directly involve financial transactions, although there were mentions of money laundering Bitcoins. (i) The incident did not directly involve knowledge-related activities. (j) The incident did not directly involve health services. (k) The incident did not directly involve entertainment services. (l) The incident did not directly involve government operations. (m) The incident did not directly involve any other specific industry mentioned in the articles. |
Article ID: 66206