The names, email addresses, cellphone numbers and passwords for about 3,500 people who signed up for email or text message alerts from the Honolulu Police Department’s former "HPD Alerts" system may have had their personal information compromised after the server was hacked by "an unauthorized person or persons" over the weekend.
The cyberattack appears to have been initiated by a hacker known as "X-Blackerz Inc" who apparently did it as part of #OpUSA, an action conducted in protest of the U.S. government’s military actions in the Middle East.
HPD officials, who learned of the security breach Monday morning, sent an email to subscribers Monday afternoon urging them "monitor your online activity and Internet accounts." Further, the email said, "If you use the same password for other accounts, please consider changing passwords."
HPD spokeswoman Michelle Yu, in a statement emailed to media, said, "Subscribers’ names, phone numbers and email addresses were compromised."
A list of 31 names and their email addresses, cellphone numbers and purported passwords taken from HPD’s server were posted on pastebin.com, which allows information to be posted to the public temporarily, by X-Blackerz Inc. The list contains both HPD employees and nonemployees who subscribed to HPD Alerts. An HPD employee whose name appears on the list said while the email address and cellphone number were accurate, the password was not.
The same hacker also posted a list of 31 HPD email addresses and their supposed passwords on pastebin.com.
HPD began using the popular Nixle system in March 2011 to notify the public of road closures, tsunami warnings or other information affecting large numbers of Oahu residents.
But in late March this year, the department began HPD Alerts as a pilot program that was expected to replace Nixle and incorporate its Web page, Facebook and Twitter accounts.
HPD Alerts was discontinued as a text message and email notifier in mid-April. Yu’s email on Monday said it was discontinued "due to technical problems not associated with the cyberattack."
Yu said the department has now removed the database and added new measures to protect the information. "At no time did the breach affect police services," she said.
X-Blackerz Inc claims to have breached 100 different U.S. websites as part of #OpUSA, which is supposed to hit government agencies, banks and other private businesses en masse today, according to the Huffington Post.
It is not expected to cause widespread disruption, according to an article in the Huffington Post. The article said a similar effort last month called #OpIsrael failed to make a major dent on the websites of Israeli government agencies and businesses.
Jason Martin, president and chief executive of Honolulu-based Secure DNA, said so-called hacktivists attempt to find flaws in the security of websites to "capture data, take sites down or possibly use the sites to contribute to denial-of-service attacks."
Even when not successful in disrupting or shutting down operations, the hackers gain publicity and are able to get their message across, said Martin, whose company is among the largest dealing with information technology security in Hawaii.
Martin said he has approached several government agencies and companies both locally and across the U.S. to identify flaws in their systems. He declined to say whether HPD was one of them.
Companies and agencies "need to be actively looking at the security of their websites … because the bad guys will be testing it at some point, whether it’s for some operation like #OpUSA or just in general looking for systems they can exploit," Martin said. They should also be checking their logs to "see if anyone is probing or actively attacking their sites."
