Story 2014-12-19 2W4N ICANN gets hacked after employees hand out private data in phishing scam

ICANN gets hacked after employees hand out private data in phishing scam

by
in security on (#2W4N)
ICANN has reported a major security breach. The organization, which is responsible for managing IP addresses (among other things) for the internet, was hacked late last month. Using basic spear phishing attacks, hackers managed to trick ICANN employees into giving up private credentials upon receiving emails that appeared to come from the organization itself. As a result, several internal systems have been breached.

ICANN reports that not only were internal emails accessed, but also a number of other things including an employee only wiki-page with public data, as well as the database to see who has registered a certain domain. Hackers also accessed the Centralized Zone Data System (CZDS), which allows them access to user names, addresses, emails and other contact/personal data. While certainly the most troubling of them all, the passwords stolen in the CZDS breach were encrypted and not just sitting around as plain text entries.

The organization implemented improved security measures early this year, before the attack. The group now plans to implement additional security measures.

U.S. officials previously announced plans to relinquish the federal government's control over managing the Internet to a “multistakeholder community” in March, following backlash over revelations about the National Security Agency's surveillance program. The cyber attack could fuel those wary of ICANN's transition to an international authority, who argue the move would compromise the safety of the Internet. Some opponents doubt the organization’s ability to manage the Internet for the entire globe.
Reply 3 comments

Remind me (Score: 1, Interesting)

by Anonymous Coward on 2014-12-19 14:27 (#2W4Z)

...what the penalty to ICANN for exposing data?

Re: Remind me (Score: 1)

by evilviper@pipedot.org on 2014-12-21 18:29 (#2W7W)

I imagine if you can show a financial loss as a result of their shoddy security practices, they may be held liable in civil court and be required to pay compensation plus penalties, like any other organization.

Alternate theory (Score: 0)

by Anonymous Coward on 2014-12-21 04:12 (#2W6X)

This was done in response to the crappy new TLDs