The most dangerous leak in the history of GDPR era ?

[Bert the Derp]

Hey Forum,

 

I want to give a little more echo to the thing happened this week in Hungary which could pose as a HUGE example how NOT TO implement a new software. Now I know this article is not in english (it will appear probably very soon tho), but Google Translate does well as far as I can see it. (find sources and translate https://translate.google.com/?hl=hu&sl=hu&tl=en&op=websites ) TL;DR at the bottom.

 

Background

In Hungary, the government have centralized and digitalized the education system in primary and secondary schools. Unified software, school books, curriculum, etc... For this, they made contract with a company to develop the software that can has to be used in every school by every teacher and every student as well. This is where they get their grades, this is where their timetables appear, important messages, notifications, sick leave management, etc... Really everything. This is called "KRÉTA". (Translates to "chalk")

 

The event

The developing company was hit by a phishing attack back in September. According to the GDPR in Europe, they required to report this to the local authorities within 15 days. Now it is November and earier this week, the attack was surfaced. After 2 months... The hackers gained access to the source codes of the software (both WebService, Mobile App, Desktop app) and even credentials for the test, staging and LIVE SERVERS ! Now what that means in practice:

 

EVERY student and teacher in Hungary has their personal data leaked and proven to be stolen !

 

What this means if a sick bastard gets its hand on the data, it can make a similar query like this:

• female students
• age between 13-16
• lives in X county
• lives with grand parents or foster parents (which means she is probably orphan)
• has bad grades

I don't think I have to tell you, this is opening doors to some very serious crimes.

Quote

If the publicly available information and the circulating rumors turn out to be true, then in my opinion the worst incident of the GDPR era in Hungary has occurred, which is particularly significant not only because of the number of people involved or the amount of compromised personal data, but also because of the people involved - children. Worrying...

said the cyber security expert.

 

My thoughts and TL;DR

This is a story. A story of a "how not to develop" and "how not to manage IT incidents". The developers knew they were hacked, they knew the data is compromised, they know how sensitive the data is, they just tried to keep quiet about it. Sadly, this company is owned by current government personell friends, thus they will certainly not go to jail or get fined. Only on a symbolic level only. But I hope I can raise attention to this case and "maybe put pressure" on the local authorities to act faster and more strictly. The data of our children are no joke and this must be protected at all cost.

 

Sources

https://telex.hu/tech/2022/11/07/kreta-rendszer-e-naplo-kozoktatas-adathalasz-tamadas-adatszivargas-ekreta-informatikai-zrt

https://telex.hu/tech/2022/11/09/kreta-rendszer-ekreta-zrt-adathalasz-tamadas-adatszivargas-elhallgatas-naih-vizsgalat-eljaras

https://telex.hu/tech/2022/11/11/kreta-adatszivargas-forraskod-ekreta-zrt-fejlesztok-elvandorlas

 

[HenrySalayne]

23 minutes ago, Bert the Derp said:

What this means if a sick bastard gets its hand on the data, it can make a similar query like this:

• female students
• age between 13-16
• lives in X county
• lives with grand parents or foster parents (which means she is probably orphan)
• has bad grades

I don't think I have to tell you, this is opening doors to some very serious crimes.

No, nobody should be able to do that.

Because of a principle that could be best describes with the German word "Datensparsamkeit" (data parsimony), only data which is absolutely necessary for the task should be gathered. And this data should be pseudonymised.

In this particular case I don't see a need for most of this data.

- sex - is this relevant for course selection?

- date of birth / age - is not relevant for a school

- country - completely irrelevant

- other people of the household - super-irrelevant

- grades - could be easily pseudonymised with a student number like some countries already do

 

The underlying problem here is not only the data breach itself but clustering this data to begin with. This is not in accordance with GDPR.

[leadeater]

6 minutes ago, HenrySalayne said:

No, nobody should be able to do that.

Because of a principle that could be best describes with the German word "Datensparsamkeit" (data parsimony), only data which is absolutely necessary for the task should be gathered. And this data should be pseudonymised.

In this particular case I don't see a need for most of this data.

- sex - is this relevant for course selection?

- date of birth / age - is not relevant for a school

- country - completely irrelevant

- other people of the household - super-irrelevant

- grades - could be easily pseudonymised with a student number like some countries already do

 

The underlying problem here is not only the data breach itself but clustering this data to begin with. This is not in accordance with GDPR.

All those data points are relevant for schools and schooling. Worked a really long time in the education sector and done a lot of IT support for schools and used many Student Management Systems.

 

One of the key problems here is the source code for the application along with account credentials, for the running live system, were obtained so even if the data in the database was stored encrypted and not clear text everything required to read the data had been obtained.

[Spotty]

Thread cleaned.

No political content, regardless of your views.

• If something spans politics and tech, the discussion must remain clearly within tech and must not descend into politics.

[GOTSpectrum]

Well that's scary, but I feel like we are only going to see more of this not less in the coming years. A scary time to be alive if you like privacy, safety or even a basic idea of feeling secure. 

 

The worst part is in many situations you can't do anything about it, we are seeing ever greater push by tech companies towards verifying who you are, via credit card, phone number, related emails ect. 

 

 

[GOTSpectrum]

1 hour ago, leadeater said:

All those data points are relevant for schools and schooling. Worked a really long time in the education sector and done a lot of IT support for schools and used many Student Management Systems.

 

One of the key problems here is the source code for the application along with account credentials, for the running live system, were obtained so even if the data in the database was stored encrypted and not clear text everything required to read the data had been obtained.

I agree, I interned in a schools IT department and all of this data was on the register(old british name for the role-call at the beginning of class, now used incorrectly for the whole student database system) 

 

long story short, schools have lots of data, and they need it, but it should be secure 

 

[leadeater]

23 minutes ago, GOTSpectrum said:

I agree, I interned in a schools IT department and all of this data was on the register(old british name for the role-call at the beginning of class, now used for the incorrectly for the whole student database system) 

 

long story short, schools have lots of data, and they need it, but it should be secure 

Here to be a teacher you can't have a criminal conviction for an offence that has a maximum sentence greater than 2 years. To work within a school, even as a contractor, you have to have a criminal background check with similar restrictions of offences. Basically speeding fines etc is the maximum before you're not allowed to do any work within a school.

 

A lot of health services are delivered through schools, like certain adolescent vaccinations some of which are for females only. Then you have other services like basic health care and counselling .

 

Then of course to enroll in a school you have to actually prove who you are and you have to keep a copy of that proof or a reference to the proof identification document i.e. Birth Certificate.

 

There's also mandatory requirement to track attendance and reporting on that, an unexplained truant student has to be reported by the school to truancy officers by 10am.

 

Any important at home situations need to have an alert flag on file i.e. father not allowed to pickup child.

 

Long story short since still only scratching the surface schools have a ton of personal and serious data on children and large parts of security on that is built only around trust, sadly large parts of that can only ever come down to trust. Auditing after that fact is often too late or simply not sufficient to pickup problems with inappropriate access of data. It's actually one of the reasons why these systems want to be centralized so the costs associated with the systems can be more efficiently spent and more effective auditing put in place, the other side of that coin however is the risk due to that centralization of data and access to it. This story case and point.

[GOTSpectrum]

2 minutes ago, leadeater said:

Here to be a teacher you can't have a criminal conviction for an offence that has a maximum sentence greater than 2 years. To work within a school, even as a contractor, you have to have a criminal background check with similar restrictions of offences. Basically speeding fines etc is the maximum before you're not allowed to do any work within a school.

 

A lot of health services are delivered through schools, like certain adolescent vaccinations some of which are for females only. Then you have other services like basic health care and counselling .

 

The of course to enroll in a school you have to actually prove who you are and you have to keep a copy of that proof or a reference to the proof identification document i.e. Birth Certificate.

 

There's also mandatory requirement to track attendance and reporting on that, an unexplained truant student has to be reported by the school to truancy officers by 10am.

 

Any important at home situations need to have an alert flag on file i.e. father not allowed to pickup child.

 

Long story short since still only scratching the surface schools have a ton of personal and serious data on children and large parts of security on that is built only around trust, sadly large parts of that can only ever come down to trust. Auditing after that fact is often too late or simply not sufficient to pickup problems with inappropriate access of data. It's actually one of the reasons why these systems want to be centralized so the costs associated with the systems can be more efficiently spend and more effective auditing put in place, the other side of that coin however is the risk due to that centralization of data and access to it.

Same rules here, you have to get a enhanced DBS, which not only shows convictions but ANY arrest, it also checks the register for sex offenders, the register of 'banned people' (people who have been banned from working with the vulnerable, there are many reasons you can get put on the register) It's very strict here, just as it should be. 

 

But when it comes to security, I think the problem is simple, there will always be a hole, an exploit to be taken advantage of, it's only a matter of time until it is found. Yes, updating frequently, audits, pen testing ect can help lower the risk, but the risk is never zero. And now we are seeing more and more centralization we will see bigger and bigger data breaches. 

 

Personally I feel there should be funding dedicated to creating a standard architecture for these kind of things, and they should be kept seperate. Pre designed systems that are heavily tested and standardised. One school is bad enough, but an entire district or country is abhorrent.  

[HenrySalayne]

6 minutes ago, leadeater said:

Here to be a teacher you can't have a criminal conviction for an offence that has a maximum sentence greater than 2 years. To work within a school, even as a contractor, you have to have a criminal background check with similar restrictions of offences. Basically speeding fines etc is the maximum before you're not allowed to do any work within a school.

 

A lot of health services are delivered through schools, like certain adolescent vaccinations some of which are for females only. Then you have other services like basic health care and counselling .

 

Then of course to enroll in a school you have to actually prove who you are and you have to keep a copy of that proof or a reference to the proof identification document i.e. Birth Certificate.

 

There's also mandatory requirement to track attendance and reporting on that, an unexplained truant student has to be reported by the school to truancy officers by 10am.

 

Any important at home situations need to have an alert flag on file i.e. father not allowed to pickup child.

 

Long story short since still only scratching the surface schools have a ton of personal and serious data on children and large parts of security on that is built only around trust, sadly large parts of that can only ever come down to trust. Auditing after that fact is often too late or simply not sufficient to pickup problems with inappropriate access of data. It's actually one of the reasons why these systems want to be centralized so the costs associated with the systems can be more efficiently spent and more effective auditing put in place, the other side of that coin however is the risk due to that centralization of data and access to it. This story case and point.

The American way of doing things is not necessarily the way it is done in other countries. That's why I don't see a need (at least here in Europe) to harness so much data that's actually not needed. You basically need

- the name

- an address

- maybe the birth date or some other form of identification to tell people with identical names apart. But this could be a simple number.

You might need to supply additional information to enroll, but this information doesn't need to be stored.

All other data might be "relevant" because they collected this data for years and why would you change that? Which is the worst reason to collect and centralize personal information.

 

[leadeater]

21 minutes ago, HenrySalayne said:

The American way of doing things is not necessarily the way it is done in other countries. That's why I don't see a need (at least here in Europe) to harness so much data that's actually not needed. You basically need

- the name

- an address

- maybe the birth date or some other form of identification to tell people with identical names apart. But this could be a simple number.

You might need to supply additional information to enroll, but this information doesn't need to be stored.

All other data might be "relevant" because they collected this data for years and why would you change that? Which is the worst reason to collect and centralize personal information.

 

I'm not from the US nor describing anything to do with US systems. What I have described is pretty much universally common and unless you've got some actual working experience in schools knowing what data they actually need simply isn't going to be that apparent to you.

 

Also yes every student has an NSN (National Student Number).

 

P.S. Something like age is unavoidable to store, what year level a student is in is literally the same thing however age must be used because date of birth actually effects what year level one is actually in depending on when in the year someone was born. Students can also be held back a year. What age a child is effects what laws and regulations are applied and how. Schools simply do need to know date of birth and it has to be recorded and kept.

 

Socioeconomic factors are important too, like where a student lives. Depending on where a family lives can effect funding allocated to the child that the school receives along with data reporting on these types of things to track effectiveness of the schooling system down to the school level. 

 

So like I said unless you have strong direct experience in the education sector it's going to be very difficult for you to know what is and is not actually required.

 

In a perfect world a lot of this data would only be held in single systems under the control of the relevant entity and then things like data reporting would have access to those data sources so that anonymity can be preserved as much as possible. Since we don't live in a perfect world and we don't have these systems in place to meet certain requirements schools or schooling systems have to individually collect and store information to comply with those requirements. Neither would that be risk free either.

[HenrySalayne]

42 minutes ago, leadeater said:

I'm not from the US nor describing anything to do with US systems. What I have described is pretty much universally common and unless you've got some actual working experience in schools knowing what data they actually need simply isn't going to be that apparent to you.

 

I only really heard of in-school mass vaccinations from the US, so I assumed you were talking about it. My mistake. That's not a thing here in Germany, hence the school doesn't need to know any medical data.

42 minutes ago, leadeater said:

So like I said unless you have strong direct experience in the education sector it's going to be very difficult for you to know what is and is not actually required.

That's true. I think I did not made my point clear: only very little information needs to end up in a centralised, cloud-based, do-it-all application with 10 billion attack vectors. Most schools (at least here in Germany) operate as islands and administrative tasks (including personal information) are done locally. There are centralised learning management systems, but only with the limited personal data mentioned before.

 

[jagdtigger]

34 minutes ago, HenrySalayne said:

I only really heard of in-school mass vaccinations from the US, so I assumed you were talking about it. My mistake. That's not a thing here in Germany, hence the school doesn't need to know any medical data.

We have mandatory vaccinations in school, IDK exactly for which diseases though...  Plus it is important that the school knows about certain medical conditions so they wont endanger the kids.

[kmanchine]

1 hour ago, HenrySalayne said:

I only really heard of in-school mass vaccinations from the US, so I assumed you were talking about it. My mistake. That's not a thing here in Germany, hence the school doesn't need to know any medical data.

 

 

Same here we have mandatory vaccines, for different kind of illnesses, viruses or tetanus shots. for example i had 3 during my time in school.

[wanderingfool2]

1 hour ago, HenrySalayne said:

administrative tasks (including personal information) are done locally

The general point of centralizing is having a more consistent system overall.  Local policies can lead to discrepancies between school and things can start slipping through the cracks (and become issues when information is trying to be verified).  [e.g. admin assistant is away and the temp doesn't know where the file is for a kid...or the kids file gets misplaced].

 

4 hours ago, HenrySalayne said:

- sex - is this relevant for course selection?

- date of birth / age - is not relevant for a school

- country - completely irrelevant

- other people of the household - super-irrelevant

- grades - could be easily pseudonymised with a student number like some countries already do

sex - can be relevant (and now and days preferred pronoun is relevant).  Some places still separate gender for classes as well (e.g. all girls classrooms and all guys classrooms).

 

DOB - leadeater covered it

 

Country/people in he household - forget country, they need the home address and contact information.  If the kid has a medical issue they need to contact people.  Actually it goes even further.  It's authorized people to pick up the children.  It's an actual thing, as I'm the registered emergency pick-up for my niece and nephew.  Never had to, but if I went there they would have to look it up.

 

Homelife - Some information regarding whether or not the person has a difficult homelife likely is recorded as well.  As it is something that comes into play when there is an issue with the child (e.g. noting they look malnourished or exhibiting anti-social behavior)

 

grades - It's important to be able to identify a student with a grade.  So you need to ultimately be able to do that with the database, so the database would contain enough to identify them.

 

I honestly wouldn't be surprised if they kept disciplinary issues in there as well

 

As for the vaccines in school, I would have thought it would be quite common around the world...as you have the same age group of kids, you know the count (thus the amount of vaccines to bring), and you can bring them in coordinated groups

[Kisai]

6 hours ago, leadeater said:

All those data points are relevant for schools and schooling. Worked a really long time in the education sector and done a lot of IT support for schools and used many Student Management Systems.

 

One of the key problems here is the source code for the application along with account credentials, for the running live system, were obtained so even if the data in the database was stored encrypted and not clear text everything required to read the data had been obtained.

More to the point, when people don't understand the difference between one-way and two-way encryption, often a data leak is like "don't worry the passwords were encrypted" when they really mean "we do what everyone else does and only match the password hash", that kind of encryption is usually not a big deal if it leaks as long as the salt (they did use a salt right) wasn't leaked. Cause when it is, then brute forcing becomes rather easy.

 

Two-way encryption is when supposedly "secure databases" are reversible, usually at a much higher level than would make sense for the expected level of security. That could mean anything from "the connections are secure, but the underlying database is not" to "every row in the database has different nonce. Which ends up becoming meaningless if the source code with a "hard coded" algorithm is leaked. 

 

Let's see...

Quote

As you can see on its website , a total of twenty modules and various applications are included, including services such as the e-diary, e-audit, institutional administration system, digital collaboration space, e-administration, as well as health, catering, management, HR - administration related to affairs.

Oooh, yeah that's very bad.

 

This should be worrying, because similar things have happened in North America and generally go unreported, or the first we hear about it is from FOIA (Freedom of Information Act) style requests from someone who was "there" to know it happened.

 

[GOTSpectrum]

4 hours ago, HenrySalayne said:

I only really heard of in-school mass vaccinations from the US, so I assumed you were talking about it. My mistake. That's not a thing here in Germany, hence the school doesn't need to know any medical data.

mass vax are common across europe though in schools, it just makes sense logistically speaking. Also medical data is still needed without that, allergies, meds, learning difficulties, autism, dyslexia, mental health, disabilities, medical needs while at school such as ongoing meds, any treatment, diabetes and many many other things are needed to be known by schools 

[Taf the Ghost]

I came across a great story in Intelligence circles about stealing a prized turtle statue to show the point that centralization of data is always a sever risk. This, however, is a good example of why so much data collection should really stay on paper.

[HenrySalayne]

37 minutes ago, GOTSpectrum said:

mass vax are common across europe though in schools, it just makes sense logistically speaking.

Depends on the country (I don't have an overview). But it seems most vaccinations in Hungary are mandatory and a few are given in schools.

37 minutes ago, GOTSpectrum said:

Also medical data is still needed without that, allergies, meds, learning difficulties, autism, dyslexia, mental health, disabilities, medical needs while at school such as ongoing meds, any treatment, diabetes and many many other things are needed to be known by schools 

The exact diagnosis is often not needed. The teacher needs to know the implication for their students. "Student doesn't need to participate at PE classes." "Student has 30% more time take exams."

 

Which brings us back to my original point: who needs access to this data? Needless to say nobody outside of the school. If teachers have access to this kind of data about their students, a single phishing attack can be catastrophic without the entire system being compromised.

 

 

[GOTSpectrum]

25 minutes ago, HenrySalayne said:

The exact diagnosis is often not needed. The teacher needs to know the implication for their students. "Student doesn't need to participate at PE classes." "Student has 30% more time take exams."

As someone who worked as both a youth worker and a social worker, I can tell you the exact diagnosis is often needed. At least in the UK we like to talk openly and honestly about what diagnosis any young person has, how it affects them Individually, how it can affect others and also how it affects those around them.

 

I'm not sure if you know this from my name but I'm autistic, and part of learning about the condition and how to manage happens in school. It is needed to happen in school because many times parents don't understand it and aren't able to teach the necessary skills. So unfortunately, you are wrong, knowing the exact diagnosis is important...

 

Also, if something were to happen at school, and the parents were unreachable, the school needs to be able to pass that information to first responders and such. 

 

If you have never worked in schools, youth work, social work out similar fields you really have no clue the lengths duty of care and safeguarding go...

[CarlBar]

Whilst i've never worked in a school from my memories of my own days i know they had all this and probably more on me at school here in the UK. And as noted a lot of it is required for emergencies or for putting students in the proper classes and years, and a whole host of other things related to the administration of school operations.

 

It's basically impossible to run a school according to the rules, regulations, and responsibilities of the law without it.

 

Also weather you think such info should be on record is almost irrelevant, the fact is it IS on record.

[HenrySalayne]

1 hour ago, GOTSpectrum said:

I'm not sure if you know this from my name but I'm autistic, and part of learning about the condition and how to manage happens in school. It is needed to happen in school because many times parents don't understand it and aren't able to teach the necessary skills. So unfortunately, you are wrong, knowing the exact diagnosis is important...

That's a fair point and a valid opinion.

Nevertheless, I think getting deeper into the details of what conditions should be publicly known or are even relevant for schools should not be part of this discussion.

Do you think a centralised platform for teachers and students should contain this information?

[GOTSpectrum]

5 minutes ago, HenrySalayne said:

That's a fair point and a valid opinion.

Nevertheless, I think getting deeper into the details of what conditions should be publicly known or are even relevant for schools should not be part of this discussion.

Do you think a centralised platform for teachers and students should contain this information?

I already answered that... 

 

8 hours ago, GOTSpectrum said:

Personally I feel there should be funding dedicated to creating a standard architecture for these kind of things, and they should be kept seperate. Pre designed systems that are heavily tested and standardised. One school is bad enough, but an entire district or country is abhorrent.  

 

[HenrySalayne]

1 minute ago, GOTSpectrum said:

I already answered that... 

My bad.

[GOTSpectrum]

1 minute ago, HenrySalayne said:

My bad.

no worries. 

 

Yes this data needs to be kept, but it should be locked down, secure, and DECENTRALISED 

[suicidalfranco]

meanwhile it italy: everything school related is still on paper medium, stored in file organizers. Data from this medium as yet to be leaked