Incident: Data Breach at Dacoll: Police Information Stolen by Clop Hackers

Published Date: 2021-12-18

Postmortem Analysis
Timeline 1. The software failure incident involving the theft of confidential information from Britain's police forces by Russian hackers happened in October [122213]. Therefore, the software failure incident occurred in October 2021.
System 1. IT firm Dacoll's systems handling access to the police national computer (PNC) [122213] 2. National Automatic Number Plate Recognition (ANPR) system [122213]
Responsible Organization 1. The cyber-criminal gang Clop was responsible for causing the software failure incident by stealing confidential information from an IT firm that handles access to the police national computer (PNC) through a phishing attack [122213].
Impacted Organization 1. Dacoll, an IT firm that handles access to the police national computer (PNC) [Article 122213] 2. NDI Technologies, a subsidiary of Dacoll that provides a critical service for 90% of the UK's police forces [Article 122213] 3. NDI Recognition Systems, another subsidiary of Dacoll that provides IT support for the Automatic Number Plate Recognition (ANPR) systems used by the police, Highways England, and DVLA [Article 122213]
Software Causes 1. Phishing attack launched by the cyber-criminal gang Clop, which gave them access to sensitive material, including that of the police national computer (PNC) [Article 122213]. 2. Sophisticated virus contained in phishing emails sent by Clop to employees, which harvested data when opened [Article 122213].
Non-software Causes 1. Phishing attack launched by the cyber-criminal gang Clop, giving them unauthorized access to sensitive information held by the IT firm Dacoll [Article 122213]. 2. Refusal of Dacoll to pay the ransom demanded by the hackers, leading to the release of stolen material on the dark web [Article 122213]. 3. Lack of robust cybersecurity arrangements between multiple public and private organizations managing sensitive law enforcement data, as highlighted by national security expert Philip Ingram [Article 122213].
Impacts 1. Confidential information held by some of Britain's police forces was stolen by Russian hackers, leading to an embarrassing security breach [Article 122213]. 2. The cyber-criminal gang Clop released material plundered from an IT firm handling access to the police national computer (PNC) on the dark web, potentially exposing personal information and records of 13 million people [Article 122213]. 3. The hackers uploaded hundreds of files, including images of motorists from the national Automatic Number Plate Recognition (ANPR) system, which could compromise the privacy and security of individuals [Article 122213]. 4. The breach raised concerns about the cybersecurity arrangements between public and private organizations managing sensitive law enforcement data, questioning the overall security of such systems [Article 122213]. 5. The incident highlighted the financial impact of ransomware attacks, with some firms paying significant amounts to prevent sensitive material from being leaked [Article 122213].
Preventions 1. Implementing robust cybersecurity measures such as multi-factor authentication, regular security audits, and intrusion detection systems could have prevented the phishing attack that led to the breach [122213]. 2. Providing comprehensive cybersecurity training to employees to recognize and avoid phishing emails could have prevented unauthorized access to sensitive information [122213]. 3. Regularly updating and patching software systems to address known vulnerabilities could have reduced the risk of exploitation by hackers [122213].
Fixes 1. Enhancing cybersecurity measures within the company, such as implementing stronger network security protocols, regular security audits, and employee training on identifying phishing emails [122213].
References 1. The Mail on Sunday [Article 122213]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization The software failure incident related to the data breach and ransomware attack by the Clop hacker group has affected multiple organizations. Clop has targeted various entities in the past, including the oil giant Shell, American bank Flagstar, the University of California, and recently Stor-A-File, a British data storage company with clients in the healthcare, legal, and financial sectors [122213]. This indicates a pattern of targeting multiple organizations with ransomware attacks.
Phase (Design/Operation) design (a) The software failure incident in the article can be attributed to the design phase. The breach occurred due to a phishing attack that gave hackers access to sensitive information held by an IT firm that handles access to the police national computer (PNC) [122213]. This breach was a result of vulnerabilities introduced during the system development or updates, allowing the cyber-criminal gang Clop to exploit these weaknesses and steal confidential data.
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in the article is primarily within_system. The failure occurred due to a cyber-criminal gang, Clop, launching a 'phishing' attack on an IT firm, Dacoll, which handles access to the police national computer (PNC) [122213]. The hackers gained access to sensitive information, including personal data and records of 13 million people, by exploiting vulnerabilities within the system. Additionally, the incident involved the uploading of files to the dark web, indicating that the breach and data leak originated from within the system's infrastructure. (b) The software failure incident also has elements of outside_system factors contributing to the failure. Specifically, the breach was caused by Russian hackers external to the organization gaining unauthorized access to the IT firm's network [122213]. The hackers demanded a ransom after the phishing attack, highlighting the external threat posed by cybercriminals targeting the system. Additionally, the article mentions how Clop has targeted various organizations in the past, indicating a broader external threat landscape that can impact the security and integrity of systems.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case occurred due to non-human actions, specifically a cyber-criminal gang known as Clop launching a 'phishing' attack that gave them access to confidential information held by some of Britain's police forces. The hackers stole material from an IT firm that handles access to the police national computer (PNC) and demanded a ransom from the company, Dacoll. When the company refused to pay, the hackers uploaded files onto the dark web, including images of motorists taken from the national Automatic Number Plate Recognition (ANPR) system [122213]. (b) Human actions also played a role in this software failure incident as the hackers behind Clop sent 'phishing' emails to employees of the targeted company, Dacoll. These emails appeared genuine but actually contained a sophisticated virus that harvested data when opened. Additionally, the company's response to the ransom demand and the overall cybersecurity arrangements in place between multiple public and private organizations were factors influenced by human actions [122213].
Dimension (Hardware/Software) software (a) The software failure incident reported in the article was not attributed to hardware issues. Instead, it was a case of a cyber-criminal gang, Clop, launching a phishing attack on an IT firm, Dacoll, which handles access to the police national computer (PNC) [122213]. (b) The software failure incident was primarily due to contributing factors originating in software. Clop gained access to sensitive information, including data from the PNC and ANPR systems, through a phishing attack that involved a sophisticated virus embedded in phishing emails sent to employees of the IT firm, Dacoll [122213].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. Russian hackers from the cyber-criminal gang Clop conducted a phishing attack to gain unauthorized access to confidential information held by some of Britain's police forces. They demanded a ransom from the IT firm Dacoll after stealing material, including data from the police national computer (PNC) which holds personal information and records of 13 million people. The hackers uploaded stolen files onto the dark web when the ransom was not paid, potentially exposing sensitive information to fraudsters [122213]. The incident involved intentional actions by the hackers to breach the system and exploit the stolen data for financial gain.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The intent of the software failure incident: - The software failure incident involving the theft of confidential information from Britain's police forces by Russian hackers was a result of poor decisions made by the cyber-criminal gang Clop. They launched a 'phishing' attack on the IT firm Dacoll, which handles access to the police national computer (PNC), and demanded a ransom after gaining access to sensitive material [122213]. (b) The intent of the software failure incident: - The incident could also be attributed to accidental decisions or unintended consequences as the company Dacoll faced the consequences of not paying the ransom demanded by the hackers, leading to the uploading of files containing sensitive information onto the dark web [122213].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in Article 122213 can be attributed to development incompetence as it was caused by a cyber-criminal gang, Clop, who successfully launched a 'phishing' attack on an IT firm, Dacoll, that handles access to the police national computer (PNC). This attack resulted in the theft of confidential information held by some of Britain's police forces, including personal information and records of 13 million people. The breach occurred due to the lack of professional competence in handling cybersecurity measures and protecting sensitive law enforcement data [122213]. (b) The software failure incident in Article 122213 was accidental in the sense that the cyber-criminal gang, Clop, gained access to the material through a 'phishing' attack that appeared genuine to employees but actually contained a sophisticated virus. This accidental access led to the theft of sensitive information, including images of motorists from the national Automatic Number Plate Recognition (ANPR) system. The incident was not intentional but rather a result of the accidental introduction of the phishing attack [122213].
Duration temporary The software failure incident described in the article is temporary. It was a result of a cyber incident on October 5 that affected Dacoll, an IT firm handling access to the police national computer (PNC) [Article 122213]. The incident was limited to an internal network not linked to any of the clients' networks or services, indicating that the failure was temporary and did not have a permanent impact on the clients' systems.
Behaviour other (a) crash: The software failure incident in this case does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is more related to a security breach and data theft by hackers rather than a system crash [Article 122213]. (b) omission: The software failure incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the incident revolves around a cyber-criminal gang stealing confidential information from an IT firm that handles access to the police national computer (PNC) [Article 122213]. (c) timing: The software failure incident is not about the system performing its intended functions correctly but too late or too early. It is more about a security breach and data theft by hackers rather than a timing issue [Article 122213]. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly. The incident is more about a security breach and data theft by hackers rather than the system malfunctioning in its intended functions [Article 122213]. (e) byzantine: The software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions. The incident is more about a security breach and data theft by hackers rather than the system exhibiting inconsistent behavior [Article 122213]. (f) other: The behavior of the software failure incident in this case is related to a security breach orchestrated by a cyber-criminal gang (Clop) that stole confidential information from an IT firm handling access to the police national computer (PNC). The incident involves data theft, ransom demands, and potential leaks of sensitive information on the dark web, rather than a typical software failure scenario like a crash or malfunction [Article 122213].

IoT System Layer

Layer Option Rationale
Perception processing_unit, network_communication (a) sensor: The software failure incident reported in the article does not directly mention any sensor errors contributing to the breach. (b) actuator: The breach does not seem to involve any actuator errors. (c) processing_unit: The failure appears to be related to the processing unit as the hackers gained access to sensitive information, including data from the police national computer (PNC), by launching a 'phishing' attack that gave them access to material handled by an IT firm (Dacoll) [Article 122213]. (d) network_communication: The breach involved network communication errors as the hackers uploaded stolen files to the dark web, a hidden area of the internet, after gaining unauthorized access to the company's network through a phishing attack [Article 122213]. (e) embedded_software: The incident does not explicitly mention any issues related to embedded software errors.
Communication unknown The software failure incident reported in Article 122213 does not directly mention whether the failure was specifically related to the communication layer of the cyber physical system that failed. The incident primarily focuses on a cyberattack by the Clop hacker group on an IT firm, Dacoll, which handles access to sensitive information, including the police national computer (PNC) and the Automatic Number Plate Recognition (ANPR) system. The attack involved a phishing campaign that led to the theft of confidential information, including images of motorists and potentially sensitive data. Therefore, based on the information provided in the article, it is unknown whether the software failure was specifically related to the communication layer of the cyber physical system that failed.
Application FALSE The software failure incident described in the articles is not related to the application layer of the cyber physical system. The incident involves a cybersecurity breach where confidential information held by some of Britain's police forces was stolen by Russian hackers through a phishing attack and ransomware tactics. This breach does not appear to be directly linked to bugs, operating system errors, unhandled exceptions, or incorrect usage within the application layer of a cyber physical system. Therefore, the failure was not related to the application layer as defined in the question.

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the cyber-criminal gang Clop resulted in the theft of confidential information held by some of Britain's police forces. The hackers stole material from an IT firm, Dacoll, which handles access to the police national computer (PNC), containing personal information and records of 13 million people. The hackers demanded a ransom from Dacoll after launching a 'phishing' attack, and when the company refused to pay, the hackers uploaded hundreds of files onto the dark web, including images of motorists taken from the national Automatic Number Plate Recognition (ANPR) system. This incident led to a breach of sensitive law enforcement data and raised questions about cybersecurity arrangements between public and private organizations [122213].
Domain government (a) The failed system was intended to support the government industry, specifically the police forces in Britain. The incident involved the theft of confidential information from an IT firm that handles access to the police national computer (PNC) [Article 122213]. The compromised system provided critical services to 90% of the UK's police forces, allowing officers remote access to the PNC and supporting the Automatic Number Plate Recognition (ANPR) systems used by the police, Highways England, and DVLA. (l) Additionally, the incident highlights the implications for the government sector as it brings into question the cybersecurity arrangements between multiple public and private organizations managing sensitive law enforcement data [Article 122213]. The National Cyber Security Centre and the National Crime Agency are involved in investigating and mitigating the impact of the security breach on the government sector.

Sources

Back to List