FT article: governments using software vulnerabilities to steal information

probe

Where did a certain country get the information it needed to create fake Irish passports, especially where the Irish citizens in question apparently never visited that country?

One option, of many possibilities, would be to exploit a security vulnerability on a computer system that contains these data.

Ryanair appears to be rapidly building up a database of information that would replicate the data held by passport offices of every country in Europe and beyond – using a system outsourced to Navitaire, a company based in the US – outside EU data protection laws – not that they are worth much in this context.

Worse still, the system is connected to the internet, potentially hackable from anywhere on the planet. Ryanair has no legitimate business need to collect passport information for most flights. No other airline I know – (eg Aer Lingus, Lufthansa, Air France, Swiss, Iberia, etc) requires passport info to be provided for online check-in. And no other airline on the planet forces one to check in online.

If someone can use a security vulnerability in Internet Explorer, in Google employees’ machines to steal root passwords for Gmail and perhaps other critical operational systems within Google, they can probably just as easily get into Ryanair’s and Navitaire’s systems to acquire an absolute feast of raw material to conduct identity theft and other crimes including murder in Dubai.

Equally they can probably get into any government computer system that is directly or indirectly interfaced with the internet.

Or steal credit card data, fiddle with online trading systems that run stockmarkets, and generally wreak havoc with a country's or company’s systems.

http://www.navitaire.com

http://www.ft.com/cms/s/0/a6f5621c-1f21-11df-9584-00144feab49a.html?nclick_check=1