Sunday, July 16th, 2023, 2:51 pm
On the Greater London Authority Data Breach With Sex Abuse Victims’ Personal Details
Video download link | md5sum 65e2f74fa8f4c609f78e27dd7bf22983
Greater London Authority (GLA) Breaches Not Surprising
Creative Commons Attribution-No Derivative Works 4.0
Summary: The biggest clients of Sirius ‘Open Source’ included Greater London Authority, or GLA for short; GLA is making some shy and bashful faces right now, as there’s negative publicity after a damning incident
THE account sharing (mal)practices at GLA were noted here before. We often shared usernames and passwords (one colleague even sent passwords in plain text by GMail) and last year I cautioned GLA that LastPass had been breached and that Sirius kept GLA passwords in there. The vault was never safe and I protested against the use of LastPass repeatedly for several years (the liar would not listen). I habitually complained about bad security practices and only in 2022 or thereabouts we finally had individual UNIX accounts on the gateway machine rather than a shared account. Imagine the company bragging about ISO compliance while doing all that.
The video above focuses less on account sharing and instead talks about the site, including Drupal. In the distant past we already had severe permission issues (these were pointed out internally), but it remains rather baffling if not flabbergasting that names of sex crimes victims somehow ended on the public Web site. They should not be on any site at all. I explain the Microsoft-centric workflows and how they contribute to the risk. Poor security practices and a lack of proper protocols made the current blunder more or less inevitable. Cowboys shooting from the hip is no way to run a site of a city as important as London.