In May 2023, there was a data breach that few noticed: the one against the data of Metronotte Piacenza, a private security company. On the surface, this attack was less important than the others (only 16 gb of data), but its content is much more sensitive.
What happened
According to the Ransomfeed portal, the LockBit group reportedly published the news of the data breach on 11/05/2023 at about 12:50 hours. One must consider that the attack normally takes place between 5 and 7 days before publication. Therefore, it is conceivable that the data breach occurred between 5 and 6 May.
Metronotte Piacenza S.r.l. is a private security company operating in the private and public sectors, offering its services in the provinces of Piacenza, Parma, Lodi, Pavia and Cremona. We are talking about a company with ‘100 patrols operating in the territory with a turnover of over 17 million euro’. The company is also certified for ISO 9001, UNI 10891, ISO 14001 and 45001, as is clearly shown on the site.
As a result of the data breach, approximately 16 Gb of data were exfiltrated, including personal data, copies of identity documents, but also data relating to surveillance activities carried out by the group.
Surveillance data
The main fear in cases like this is that it is surveillance-related data that is stolen. Checking the data leak revealed that these fears were well-founded: diagrams on the positioning of sensors, together with other material, were stolen. Before going any further, however, it is necessary to make a clarification: in order to protect the customers of Metronotte Piacenza S.r.l. and the company itself, the data below will be partial, obscured or censored.
Mention could be made of the PDF document in which the location of surveillance sensors is depicted along with their orientation. The map, found on the net, is much larger and refers to a specific customer whose name we prefer not to mention.
Real-time position of the patrol cars
Metronotte Piacenza S.r.l. has more than 100 agents operating in the territory. The cars in the fleet are monitored through a real-time GPS tracking service offered by the ComESer portal.
To access the portal it is necessary to have credentials (username and password) which, in the case of Metronotte Piacenza S.r.l., had been entered in an excel file stolen during the exfiltration. The file was password-protected, but the password chosen was so trivial that it seems to have been found on the first attempt. With the stolen credentials, the hackers may have been able to access the tracking portal and locate every single car in the fleet, complete with number plate and driver’s name.
The hope is that after the data breach, Metronotte Piacenza S.r.l. made the change of these credentials, otherwise it would be objectively serious.
The decision to protect files containing critical data by encryption is correct, but the protection is thwarted when a trivial password is adopted.
Conclusions
The attack on Metronotte Piacenza S.r.l. should not be underestimated; the data stolen in summary are:
- Personal data on employees.
- Personal data on employees’ family members.
- Personal data on customers (natural and legal persons) of the company.
- Data on alarm systems adopted and contracts submitted and signed.
- Company fleet data with real-time location, number plate and driver.
- Photocopies of identity documents, certificates, etc…
The adoption of security measures, such as encryption, must be done in accordance with robustness criteria proportional to the nature of the information to be protected.
