Thousands of email addresses leaked after hack
THOUSANDS of email addresses belonging to businesses and councils in Wales have been dumped online after a health club firm was targeted by a “classic hack”.
Information belonging to 16 of Wales’ 22 councils and from gyms around the nation was posted on a site called siph0n.net after the attack on Incorpore, which provides gym memberships for people through their employers.
The Sussex-based company insisted none of the information leaked was sensitive and no gym users’ information was taken.
But David Jones, of Cardiff’s Westgate Cyber Security, said he was worried that people’s identities could be discovered from fragmented details spread across the internet.
“Whenyoudothat,email addresses, with other information, can become something of value,” he said.
He said the result can effectively be identity theft. “If you have different bits of information, when you piece it together, you can have jigsaw identification.
“Within seconds we were able to locate so- cial media accounts and photographs of gym staff using only the dumped emails.”
The UK Safer Internet Centre’s Kathryn Tremlett dubbed the theft a “real classic attempt at a hack”.
“I would hope Incorpore would be taking steps to make sure their systems were secure and someone had reported it to Action Fraud,” she said.
“It’s Incorpore’s responsibility to contact their users.”
The Welsh Local Government Association notified its members.
“This data breach is a matter for the company concerned, given ap- proximately 6,000 contact details, including businesses, councils, other organisations and individuals have been published,” a spokesman said.
“After such a data breach, the company will no doubt have reviewed its data security arrangements.
“The company should also contact all individuals and organisations on the list to notify them of the breach, reassure them that steps are being taken to review data security and to advise them to change passwords and security settings as appropriate.
“Of the approximately 6,000 email addresses on the list, only 16 relate to Welsh councils and the email addresses would have been publicly available.
“However, some unique organisational identifiers or passwords may also have been published.
“The WLGA has there- fore contacted the councils concerned.”
Incorpore’s Rob Tinch said it was not a hack but an “unauthorised log-in”.
He said the attack was identified “in about 13 minutes of them logging in” and the system was then “locked down.”
He insisted “no pass- words” from the gyms were leaked and there was no risk to gym users. “We are quite fastidious about security.”
The firm was later asked whether users were notified and Action Fraud contacted but no one had responded at the time of going to press.