Five thousand dollars, to be paid in cryptocurrencies: this is the auction base with which an anonymous cybercriminal is trying to sell what he claims is a list containing the data of over 7 million vaccinated in Italy. The announcement first appeared mid-morning on Saturday, June 12, when the data smuggler posted three samples of the archive, containing the names, surnames and other personal data of thousands of people, on an online forum. The quality of the information shared by way of example has been ascertained by Italian Tech.
However, little is known about the origin of the stolen data, since the criminal did not want to reveal the technical details of the vulnerabilities used to acquire it.
“The data does not come from a single database, but are related to Covid vaccinations and aggregated from different and multiple sources that I intruded into”, explained the seller, who writes in English, contacted by Italian Tech via Telegram for a comment .
In one of the archives disclosed, in textual format, a reference to the “requested sending date” appears and each of the dates indicated dates back to a period of time between 27 February and 8 March 2021, as already written by Italian Tech. For each date a time is also indicated, which suggests that it is an automatic list of registrations and that could refer to the registration for obtaining the vaccine. In the second file disclosed there are instead over 800 identities, accompanied by the wording “already positive”.
“I will not go into detail on the individual vulnerabilities [né posso] reveal which targets I hit – he adds – but I can say that the general level of security of the infrastructure [colpite] it was embarrassing: if it hadn’t been me, certainly someone else would have arrived ”.
Initially, this newspaper accounted for the fact that most of the data contained in the samples were attributable to citizens enrolled in the National Order of Psychologists, which, however, numbers only 100,000 professionals, very far from the 7 million people allegedly present in the archive. not yet published. It is the criminal himself who clarifies that this circumstance “is due to the fact that the data shared as a sample comes from the same folder”, he adds, alluding to the presence of other files.
To give further confirmation is the same National Order of Psychologists who, responding to a request for comment, specified that it is not in possession of the vaccination information of its members and that there is no intrusion into its systems.
The black hat (slang term that defines bad hackers, or “black hat”) also revealed that it may have already found two possible buyers and that, having served them, it will not resell the archive to other people, so as not to devalue the data contained therein. The negotiation will be conducted by an intermediary, chosen by the criminal, and the payment will be made through a cryptocurrency of which he does not want to give details, for fear of giving clues to the authorities.
According to the announcement of the sale, the malicious hacker claims to be in possession of thousands of passwords, protected by encryption, which however he did not include in the public samples as “the type of encryption used would help to understand where they come from” , glosses.
Contacted by Italian Tech, the Postal Police assured that it is preliminarily analyzing the case to ascertain that the disclosed data actually comes from an abusive computer intrusion or that they are not rather the result of a false collection of information previously disclosed and therefore already available online.
Recognition to hackers
If in Italy there was a rewards program for hackers who find a vulnerability and reveal it in an ethical way, perhaps certain episodes would be rarer and less serious: this is what the cybercriminal himself tells us, in reference to the strategy of the so-called bug bounty (from ‘English, “reward for vulnerabilities”). Increasingly widespread around the world, these solutions incentivize the hundreds of thousands of IT experts who surf the net to alert infrastructure managers if they identify a vulnerability, in exchange for token or cash recognition.
By his own admission, the criminal who disclosed the data of thousands of Italian citizens would not have availed himself of a reward and would have preferred to turn to the black market for data anyway. However, “without a doubt this would have helped other people and primarily the victims”, he specifies: “Hiring qualified system administrators instead of random people would have been useful”.