The development company tried to hush up the hacking of KÉRETA
The development company tried to hush up the hacking of KÉRETA
TECH
INLAND
The most important
2022. november 09. – 05:50
The development company tried to hush up the hacking of KÉRETA
Photo: Péter Sz. Németh / Telex
Dániel Bolcsó
Dániel Bolcsó
Copying
Copied to clipboard
1192
On Monday, we wrote that, according to information confirmed by several sources, a phishing attack hit KRÉTA's development company, eKRÉTA Informatikai Zrt ., back in September . The attacker had access to almost all data of the state administration system, which is mandatory in all institutions of public education, including the personal data of students, but not only these, but also the company's other databases and source codes, as well as the developers' internal communications.
After our article, one of the hackers behind the attack contacted us to share more details. The evidence he sent shows that the company had already learned that unauthorized access had taken place, and that they were talking among themselves about how to cover up what had happened. "Either you have to tell the truth all the way, or you have to deny it all the way, but there is no possibility of making changes during the trip," wrote one of them.
The hacker wrote to Telex that they wanted to show the bad state of the Hungarian systems with their action, and that they are protesting against the problems with the attack, but they do not publish personal data because they do not want to harm the students.
According to a cyber security expert who spoke to us, based on the information made public, there are serious security failures at the development company. According to him, this could be the worst data protection incident of the GDPR era. After the publication of our first article, the data protection authority initiated proceedings in the case ex officio. According to the data protection expert, the fact that the company did not tell anyone about what happened could be an aggravating circumstance.
"Hello, eCRETE! Unfortunately, we successfully hacked your »professional« systems, and obtained a lot of data, including: source codes, databases, and I could list more! […] By the way, thank you for the very important, informative Slack conversations, the journalists will surely like that you lie to the police, etc.
- this is the message greeted the employees on an internal communication interface of eKRÉTA Zrt., the company that develops the KRÉTA public education administration system, after the company was hit by a phishing attack: in a fraudulent email, one of the project managers clicked on an infected link, and the attackers gained access to their systems, among other things, for data managed by KRÉTA, as well as for developer databases and codes.
We know this from the fact that one of the hackers involved in the attack contacted us to reveal more details after our article publicizing the data leak based on other sources. We talked to him about who they are, why they attacked the developer of KRÉTA, what they wanted to achieve with this, and what they will do with the acquired data. We will return to this in the second half of the article, but first let's see how eKRÉTA Zrt handled the attack.
Incidentally, we received a similar image from within the company about the hackers' message, confirming its authenticity:
What kind of data can we talk about? When writing our previous article, we contacted the former development manager of KRÉTA, Gábor Kovács, who has no knowledge of the specific case, but knows the structure of the system itself and the development process. Among other things, we asked him what unauthorized intruders could access if they actually obtained a project manager's password in such a phishing attack. "Unfortunately, for a lot of things. KRÉTA contains almost all the data of students and teachers in some module, the trivial category is student numbers and other personal data or tickets, warnings," said Gábor Kovács, who said that even more sensitive data could be accessed in this way. "To mention nothing else, such data: students' disabilities and behavioral disorders, which are classified data; exemptions, certificates, health data; HR data of teachers and other employees; budget and management of institutions; registered documents of institutions."
As evidence, the hacker who contacted us also sent screenshots of the leaked databases and code libraries (no personal data, of course).
But the most convincing evidence was not this, but the fact that he copied the email I sent to the Ministry of the Interior before our first article to confirm the attack on the system used in public education.
(The letter was obtained from the company to which it was forwarded by the ministry or the Klebelsberg Center.)
Balázs doesn't even want to know about it
According to the pictures and excerpts from the internal communication that reached us, the officials had a lot of discussions about how to handle what happened. According to a chat message stream between project managers, one of them - the one who clicked on the suspicious link, i.e. the hacked project manager - noticed that someone had made a change with administrative access for which only four people together with him knew the password, and since none of the four had done this, they did not understand , What could have happened. "But at least he only changed the password, nothing else, but even then I don't understand, and even then it's a shame what to tell the police," he wrote.
(It should be noted here that the reference to the police does not refer to the case of the hacking of eKRÉTA itself, since no police proceedings had been initiated in connection with it until the publication of our previous article. It is about another, independent case, a case in Békéscsaba. The National Police In the response quoted in our previous article, the police headquarters wrote that "due to suspicion of crimes committed in relation to the KÉRETA system", four criminal proceedings have been initiated in recent months, one of them "on the basis of a report from an educational institution [...] at the Békéscsaba Police Department on suspicion of a crime of threatening public danger". (the school had a bomb alarm, and the threatening letter was sent on the KRÉTA school messaging interface, which is why the police contacted the company.)
"It's even worse, because the messages in question came after Fori changed the student's password," wrote the project manager later, when it began to unfold for them that they might have run into a bigger problem. ("Fori" is the mentioned technical admin account that the hackers accessed.) "What the hell," replied another participant in the conversation. "And what the hell are we going to do with it now? Balázs doesn't even want to know about it - from what I understand..." wrote the project manager, presumably referring to Balázs Szabó, the CEO of eKRÉTA Zrt., whom we contacted several times before the publication of our previous article, but, like the company's central contact information, we did not receive an email response from him either, the and he didn't pick up the phone.
In another message, a project manager who fell victim to phishing wrote the following a little later, at the end of September:
"After our meeting on Thursday, I had a bad feeling about whether we were doing it right. It was an important statement on your part that you either have to tell the truth all the way through or deny it all the way through, but there is no possibility of making changes on the way. I want you to know that I really can't lie, but I don't want to."
Regarding the account with administrative rights that was discovered to have been accessed, he wrote: “[…] it can be admitted that we had such a technical user, but we terminated it immediately after the incident, which is absolutely true. (This came to light on Sunday, September 18, I immediately changed the password, and the next day I deleted all user logins - I set them to deleted.) [...] If we denied this, he would have proof of this (picture, video, login data downloaded from me, whatever ), then we would end up in a situation that should definitely be avoided."
The full text of this last letter, together with some pictures, was already published by the hackers on Monday evening, on the Telegram channel where, according to their colleague who told us, they plan to publish more data.
According to the signs, the publication of our article on Monday did not escape the attention of the company's employees either, because the following message appeared on the internal communication channel that day:
Neither Klebelsberg Központ nor eKRÉTA Zrt. have responded to our inquiry, which was first sent almost a month ago. We have now sent more questions to the company. We wanted to find out from them if they could confirm that the company's management was already aware in September that unauthorized persons had access to KRÉTA's data; and if so, why they decided not to file a report or notify anyone about the incident. They did not respond until the publication of our article, but if they respond later, we will report on it.
We are not like that, here is all the data of minors
When we managed to speak with the hacker who goes by the name sawarim, we asked him to tell us as much as he could about who they are and why they decided to launch an attack against the developer of KÉRETA. Here are the details of our conversation about it in an edited form:
How many of you?
Internationally approx. 110, 4 people in Hungary, there are also minors among us. There is only this project in Hungary, and they are working on others globally. Sawarim is our unique name, there are currently several teams with different names.
The origin of the name sawarim raises the question of whether they sympathized with the Islamic State.
Nope, there is only good music , we tapped on it.
What is the common point between teams from different countries that connects you? Any common goal?
So that all people globally can live a normal life, not be oppressed by the government, and that politics is only about making the top 1 percent feel good, while the bottom layer dies, and we are trying to solve these with digital attacks.
This sounds similar to an anonymous message, do you have any of them, or is it independent of that?
Independent of course. Already from previous attempts, they realized that peaceful protest against politics will not work. That's why we try offensive protests.
And why did you make this attack on eKRÉTA, what is your goal?
I could say that the presentation of the Hungarian systems, how careless and how "developed" this all is. Of course, we would also like to, for example, not publish the data if teachers' wages are increased, etc. But nothing came of it, you see. Just a leak and hello.
And why didn't it happen?
We didn't want blackmail, as it could have turned out badly on our part.
Aren't you afraid that you could harm innocent students and teachers if their data gets out? Or you don't post data, only other codes?
We do not post login data, maximum source codes, images, evidence of forgeries, etc. We didn't plan to disclose personal data, that's clear, because we're not the type to do it, here's all the data of minors and teenagers.
However, what they will publish, according to their claim, will be published in the next few days on the Telegram channel created for this purpose, where some things were already posted on Monday evening.
But how did they get in?
We also asked the hacker how they managed to get into eKRÉTA's systems. According to his claim, they managed to introduce a malicious program they had written, a so-called RAT (remote access trojan, i.e. a Trojan program enabling remote access), and that it got through all the company's anti-virus and protection software unnoticed. This type of malware is good for exactly what its name suggests: it installs on the infected system and thereby also introduces the attackers: it allows remote access, which can mean remote monitoring of the system, but also the execution of commands or the extraction of data.
The trojans were distributed through the KRETA messaging system: they selected all administrators and in a deceptive phishing email, pretending to be someone else, sent the link needed to download the malware, disguised as something that might arouse the interest of the targeted administrators - as we have since seen, one of them was indeed also created it. One of the project managers clicked even before the employees were notified within the company that it was a phishing email, and with this they managed to obtain his password, which they used to access everything. "There was no two-step identification and it all runs on one system, so if you have owa.rufuz.hu", then you have access to everything," said the hacker. (Rufusz Computer Informatika Zrt. is one of the companies of Zoltán Fauszt, whose sphere of interest also includes eKRÉTA Zrt. - we wrote about this at the end of our previous article .)
In mid-September, they didn't have access to the systems yet, so they only got into the already mentioned technical administrator account that worked in every school, but even with that they were able to view the address and other data of any student. "Later we found out that we actually had access to everything: emails, source codes, etc." According to the hacker, 238 GB of compressed data was finally taken from the company. They don't know the exact number of people affected by their personal data, but it could be tens of thousands.
It can already be guessed from what has been said so far, but the hacker also confirmed that, although based on the company's internal communication, eKRÉTA might have thought that the attack had finally been repelled, the attackers are actually still inside their systems.
"Currently, we have been in since September, because when the password was changed, we were still in the project manager's email, not in KRÉTA, but in Gmail."
There may be serious deficiencies
It is not only a layman who may wonder how the developer of such an extensive and important system could be hacked so easily. A cyber security expert also told Telex that what happened could raise serious security gaps.
"Based on the currently public information, it is not possible to outline exactly how this incident could have happened, what could have led to the fact that the attackers were able to access the data and the source code of the application by impersonating an employee of the organization. The various comments perhaps best raise the question of how it could happen that the attackers could gain access to all data by obtaining the authority of a project manager (by impersonating the project manager). This can definitely raise gaps, such as the lack of two-factor authentication or sophisticated authorization management," said the expert, who requested anonymity due to the sensitivity of the topic.
“In general, a project manager should not have this access, and the system should not allow such high-privilege access without two-factor authentication. Presumably, in violation of the "narrowest rights" directive, the user concerned may have had additional rights that were not necessary due to his job role. Such situations can also occur due to the simplification of administration and the bureaucratic simplification of authorization management processes, when the authorization management capability of the system is adequate, but it is "simpler" to grant all authorizations to a user so that one does not have to bother with requesting and approving authorizations. It may happen that roles have overlapped, the project manager also performed some additional technical activities,
As we know, in the case of eKRÉTA Zrt., exactly this stacking of roles may have happened: the project manager also performs support activities, so that he does not have to access several schools individually every day, he simply has access to everything when needed.
"The separation of authorizations is also questionable from the point of view of what kind of access the attackers gained. If the relevant user's access to company IT systems was obtained, why was it possible to access the operated live server environment and the data stored in it with this authorization? Presumably, the lack of separation of user and administrative privileges may have been associated with the fact that the separation of the rights of the systems (the corporate IT environment and the live server environment) was not realized either, i.e. it was possible to access all systems with a single user."
"If the publicly available information and the circulating rumors turn out to be true, then in my opinion the worst incident of the GDPR era in Hungary has occurred, which is particularly significant not only because of the number of people involved or the amount of compromised personal data, but also because of the people involved - children worrying"
said the cyber security expert.
For the sake of context, he also added that the access data of KRÉTA users had already been circulating on the Internet: "There are a total of 46,238 records, which affect 34,635 unique users." These were not stolen centrally, but were collected from the individual users themselves by the various data stealing programs installed on their devices, and of course, with these you can only access the data of the given user, not the other data in KRÉTA - and unfortunately this is the normal course of action, such stolen data for all services, they can be found in the specialized sections of the Internet.
The NAIH is already investigating
According to the data protection regulation of the European Union, the GDPR, the data controller is obliged to report data protection incidents within 72 hours . However , according to KRÉTA's information on data management , with regard to the public education system, the developer eKRÉTA Zrt. is not the data controller , but the institutions that use it, and the development company is the data processor .it matters (Since the data breach affected not only KRÉTA's data, but also eKRÉTA Zrt.'s internal databases, in some respects they can also be data controllers in the matter, but we are now focusing on KRÉTA, which is more important from the point of view of public interest.) According to the law, therefore, eKRÉTA Zrt.- does not have a direct notification obligation to the NAIH regarding the KRÉTA system, but it does have a notification obligation to the data management institutions.
"The data processor has little direct responsibility under the GDPR. But one of them is to meet the data security requirements during its operation, which it develops based on the product it offers. Therefore, the data processor is directly responsible for properly establishing and complying with these, NAIH can hold them accountable for this," data protection expert Krisztina Ivanics told Telex.
In case of violation, the maximum fine that can be imposed on the data processor can be 4 percent of the annual sales revenue or 20 million euros (whichever is higher). As we wrote in our previous article, eKRÉTA Zrt.'s annual net sales in 2021 were HUF 12 billion, according to the company database. It is important that this is only the maximum, the authority considers each case, and "when the NAIH determines the gravity of the violation, it can also take into account the failure to notify as a fine-increasing item," said Krisztina Ivanics.
Before the publication of our first article, we contacted the NAIH, and their reply revealed that "the Authority has not received a notification of a data protection incident involving the KRÉTA public education system or eKRÉTA Zrt.". However, an investigation can be started even without it: "The NAIH does not necessarily have to wait for a notification, in order to be able to take action, it can start on its own. As an authority, you have room for maneuver: you can not only request contracts and declarations, but also send specialists to view the systems, look into the log files, request reports, etc. So he has many tools to act if he wants to," Krisztina Ivanics noted.
This happened in the meantime: after the publication of our first article, we contacted the NAIH again to see if they planned to launch an investigation into the matter in the light of the information that had been made public.
"Regarding your request, I would like to inform you that the National Data Protection and Freedom of Information Authority has initiated proceedings in the case ex officio. The Authority will not provide further information until the procedure is concluded"
Attila Péterfalvi, president of NAIH, answered our inquiry .
Earlier, the police responded to our inquiry that no criminal proceedings had been initiated in the case, but this may change: after our article, István Tényi filed a report against an unknown perpetrator on suspicion of a crime of information system or data violation.
TECH
INLAND
The most important
2022. november 09. – 05:50
The development company tried to hush up the hacking of KÉRETA
Photo: Péter Sz. Németh / Telex
Dániel Bolcsó
Dániel Bolcsó
Copying
Copied to clipboard
1192
On Monday, we wrote that, according to information confirmed by several sources, a phishing attack hit KRÉTA's development company, eKRÉTA Informatikai Zrt ., back in September . The attacker had access to almost all data of the state administration system, which is mandatory in all institutions of public education, including the personal data of students, but not only these, but also the company's other databases and source codes, as well as the developers' internal communications.
After our article, one of the hackers behind the attack contacted us to share more details. The evidence he sent shows that the company had already learned that unauthorized access had taken place, and that they were talking among themselves about how to cover up what had happened. "Either you have to tell the truth all the way, or you have to deny it all the way, but there is no possibility of making changes during the trip," wrote one of them.
The hacker wrote to Telex that they wanted to show the bad state of the Hungarian systems with their action, and that they are protesting against the problems with the attack, but they do not publish personal data because they do not want to harm the students.
According to a cyber security expert who spoke to us, based on the information made public, there are serious security failures at the development company. According to him, this could be the worst data protection incident of the GDPR era. After the publication of our first article, the data protection authority initiated proceedings in the case ex officio. According to the data protection expert, the fact that the company did not tell anyone about what happened could be an aggravating circumstance.
"Hello, eCRETE! Unfortunately, we successfully hacked your »professional« systems, and obtained a lot of data, including: source codes, databases, and I could list more! […] By the way, thank you for the very important, informative Slack conversations, the journalists will surely like that you lie to the police, etc.
- this is the message greeted the employees on an internal communication interface of eKRÉTA Zrt., the company that develops the KRÉTA public education administration system, after the company was hit by a phishing attack: in a fraudulent email, one of the project managers clicked on an infected link, and the attackers gained access to their systems, among other things, for data managed by KRÉTA, as well as for developer databases and codes.
We know this from the fact that one of the hackers involved in the attack contacted us to reveal more details after our article publicizing the data leak based on other sources. We talked to him about who they are, why they attacked the developer of KRÉTA, what they wanted to achieve with this, and what they will do with the acquired data. We will return to this in the second half of the article, but first let's see how eKRÉTA Zrt handled the attack.
Incidentally, we received a similar image from within the company about the hackers' message, confirming its authenticity:
What kind of data can we talk about? When writing our previous article, we contacted the former development manager of KRÉTA, Gábor Kovács, who has no knowledge of the specific case, but knows the structure of the system itself and the development process. Among other things, we asked him what unauthorized intruders could access if they actually obtained a project manager's password in such a phishing attack. "Unfortunately, for a lot of things. KRÉTA contains almost all the data of students and teachers in some module, the trivial category is student numbers and other personal data or tickets, warnings," said Gábor Kovács, who said that even more sensitive data could be accessed in this way. "To mention nothing else, such data: students' disabilities and behavioral disorders, which are classified data; exemptions, certificates, health data; HR data of teachers and other employees; budget and management of institutions; registered documents of institutions."
As evidence, the hacker who contacted us also sent screenshots of the leaked databases and code libraries (no personal data, of course).
But the most convincing evidence was not this, but the fact that he copied the email I sent to the Ministry of the Interior before our first article to confirm the attack on the system used in public education.
(The letter was obtained from the company to which it was forwarded by the ministry or the Klebelsberg Center.)
Balázs doesn't even want to know about it
According to the pictures and excerpts from the internal communication that reached us, the officials had a lot of discussions about how to handle what happened. According to a chat message stream between project managers, one of them - the one who clicked on the suspicious link, i.e. the hacked project manager - noticed that someone had made a change with administrative access for which only four people together with him knew the password, and since none of the four had done this, they did not understand , What could have happened. "But at least he only changed the password, nothing else, but even then I don't understand, and even then it's a shame what to tell the police," he wrote.
(It should be noted here that the reference to the police does not refer to the case of the hacking of eKRÉTA itself, since no police proceedings had been initiated in connection with it until the publication of our previous article. It is about another, independent case, a case in Békéscsaba. The National Police In the response quoted in our previous article, the police headquarters wrote that "due to suspicion of crimes committed in relation to the KÉRETA system", four criminal proceedings have been initiated in recent months, one of them "on the basis of a report from an educational institution [...] at the Békéscsaba Police Department on suspicion of a crime of threatening public danger". (the school had a bomb alarm, and the threatening letter was sent on the KRÉTA school messaging interface, which is why the police contacted the company.)
"It's even worse, because the messages in question came after Fori changed the student's password," wrote the project manager later, when it began to unfold for them that they might have run into a bigger problem. ("Fori" is the mentioned technical admin account that the hackers accessed.) "What the hell," replied another participant in the conversation. "And what the hell are we going to do with it now? Balázs doesn't even want to know about it - from what I understand..." wrote the project manager, presumably referring to Balázs Szabó, the CEO of eKRÉTA Zrt., whom we contacted several times before the publication of our previous article, but, like the company's central contact information, we did not receive an email response from him either, the and he didn't pick up the phone.
In another message, a project manager who fell victim to phishing wrote the following a little later, at the end of September:
"After our meeting on Thursday, I had a bad feeling about whether we were doing it right. It was an important statement on your part that you either have to tell the truth all the way through or deny it all the way through, but there is no possibility of making changes on the way. I want you to know that I really can't lie, but I don't want to."
Regarding the account with administrative rights that was discovered to have been accessed, he wrote: “[…] it can be admitted that we had such a technical user, but we terminated it immediately after the incident, which is absolutely true. (This came to light on Sunday, September 18, I immediately changed the password, and the next day I deleted all user logins - I set them to deleted.) [...] If we denied this, he would have proof of this (picture, video, login data downloaded from me, whatever ), then we would end up in a situation that should definitely be avoided."
The full text of this last letter, together with some pictures, was already published by the hackers on Monday evening, on the Telegram channel where, according to their colleague who told us, they plan to publish more data.
According to the signs, the publication of our article on Monday did not escape the attention of the company's employees either, because the following message appeared on the internal communication channel that day:
Neither Klebelsberg Központ nor eKRÉTA Zrt. have responded to our inquiry, which was first sent almost a month ago. We have now sent more questions to the company. We wanted to find out from them if they could confirm that the company's management was already aware in September that unauthorized persons had access to KRÉTA's data; and if so, why they decided not to file a report or notify anyone about the incident. They did not respond until the publication of our article, but if they respond later, we will report on it.
We are not like that, here is all the data of minors
When we managed to speak with the hacker who goes by the name sawarim, we asked him to tell us as much as he could about who they are and why they decided to launch an attack against the developer of KÉRETA. Here are the details of our conversation about it in an edited form:
How many of you?
Internationally approx. 110, 4 people in Hungary, there are also minors among us. There is only this project in Hungary, and they are working on others globally. Sawarim is our unique name, there are currently several teams with different names.
The origin of the name sawarim raises the question of whether they sympathized with the Islamic State.
Nope, there is only good music , we tapped on it.
What is the common point between teams from different countries that connects you? Any common goal?
So that all people globally can live a normal life, not be oppressed by the government, and that politics is only about making the top 1 percent feel good, while the bottom layer dies, and we are trying to solve these with digital attacks.
This sounds similar to an anonymous message, do you have any of them, or is it independent of that?
Independent of course. Already from previous attempts, they realized that peaceful protest against politics will not work. That's why we try offensive protests.
And why did you make this attack on eKRÉTA, what is your goal?
I could say that the presentation of the Hungarian systems, how careless and how "developed" this all is. Of course, we would also like to, for example, not publish the data if teachers' wages are increased, etc. But nothing came of it, you see. Just a leak and hello.
And why didn't it happen?
We didn't want blackmail, as it could have turned out badly on our part.
Aren't you afraid that you could harm innocent students and teachers if their data gets out? Or you don't post data, only other codes?
We do not post login data, maximum source codes, images, evidence of forgeries, etc. We didn't plan to disclose personal data, that's clear, because we're not the type to do it, here's all the data of minors and teenagers.
However, what they will publish, according to their claim, will be published in the next few days on the Telegram channel created for this purpose, where some things were already posted on Monday evening.
But how did they get in?
We also asked the hacker how they managed to get into eKRÉTA's systems. According to his claim, they managed to introduce a malicious program they had written, a so-called RAT (remote access trojan, i.e. a Trojan program enabling remote access), and that it got through all the company's anti-virus and protection software unnoticed. This type of malware is good for exactly what its name suggests: it installs on the infected system and thereby also introduces the attackers: it allows remote access, which can mean remote monitoring of the system, but also the execution of commands or the extraction of data.
The trojans were distributed through the KRETA messaging system: they selected all administrators and in a deceptive phishing email, pretending to be someone else, sent the link needed to download the malware, disguised as something that might arouse the interest of the targeted administrators - as we have since seen, one of them was indeed also created it. One of the project managers clicked even before the employees were notified within the company that it was a phishing email, and with this they managed to obtain his password, which they used to access everything. "There was no two-step identification and it all runs on one system, so if you have owa.rufuz.hu", then you have access to everything," said the hacker. (Rufusz Computer Informatika Zrt. is one of the companies of Zoltán Fauszt, whose sphere of interest also includes eKRÉTA Zrt. - we wrote about this at the end of our previous article .)
In mid-September, they didn't have access to the systems yet, so they only got into the already mentioned technical administrator account that worked in every school, but even with that they were able to view the address and other data of any student. "Later we found out that we actually had access to everything: emails, source codes, etc." According to the hacker, 238 GB of compressed data was finally taken from the company. They don't know the exact number of people affected by their personal data, but it could be tens of thousands.
It can already be guessed from what has been said so far, but the hacker also confirmed that, although based on the company's internal communication, eKRÉTA might have thought that the attack had finally been repelled, the attackers are actually still inside their systems.
"Currently, we have been in since September, because when the password was changed, we were still in the project manager's email, not in KRÉTA, but in Gmail."
There may be serious deficiencies
It is not only a layman who may wonder how the developer of such an extensive and important system could be hacked so easily. A cyber security expert also told Telex that what happened could raise serious security gaps.
"Based on the currently public information, it is not possible to outline exactly how this incident could have happened, what could have led to the fact that the attackers were able to access the data and the source code of the application by impersonating an employee of the organization. The various comments perhaps best raise the question of how it could happen that the attackers could gain access to all data by obtaining the authority of a project manager (by impersonating the project manager). This can definitely raise gaps, such as the lack of two-factor authentication or sophisticated authorization management," said the expert, who requested anonymity due to the sensitivity of the topic.
“In general, a project manager should not have this access, and the system should not allow such high-privilege access without two-factor authentication. Presumably, in violation of the "narrowest rights" directive, the user concerned may have had additional rights that were not necessary due to his job role. Such situations can also occur due to the simplification of administration and the bureaucratic simplification of authorization management processes, when the authorization management capability of the system is adequate, but it is "simpler" to grant all authorizations to a user so that one does not have to bother with requesting and approving authorizations. It may happen that roles have overlapped, the project manager also performed some additional technical activities,
As we know, in the case of eKRÉTA Zrt., exactly this stacking of roles may have happened: the project manager also performs support activities, so that he does not have to access several schools individually every day, he simply has access to everything when needed.
"The separation of authorizations is also questionable from the point of view of what kind of access the attackers gained. If the relevant user's access to company IT systems was obtained, why was it possible to access the operated live server environment and the data stored in it with this authorization? Presumably, the lack of separation of user and administrative privileges may have been associated with the fact that the separation of the rights of the systems (the corporate IT environment and the live server environment) was not realized either, i.e. it was possible to access all systems with a single user."
"If the publicly available information and the circulating rumors turn out to be true, then in my opinion the worst incident of the GDPR era in Hungary has occurred, which is particularly significant not only because of the number of people involved or the amount of compromised personal data, but also because of the people involved - children worrying"
said the cyber security expert.
For the sake of context, he also added that the access data of KRÉTA users had already been circulating on the Internet: "There are a total of 46,238 records, which affect 34,635 unique users." These were not stolen centrally, but were collected from the individual users themselves by the various data stealing programs installed on their devices, and of course, with these you can only access the data of the given user, not the other data in KRÉTA - and unfortunately this is the normal course of action, such stolen data for all services, they can be found in the specialized sections of the Internet.
The NAIH is already investigating
According to the data protection regulation of the European Union, the GDPR, the data controller is obliged to report data protection incidents within 72 hours . However , according to KRÉTA's information on data management , with regard to the public education system, the developer eKRÉTA Zrt. is not the data controller , but the institutions that use it, and the development company is the data processor .it matters (Since the data breach affected not only KRÉTA's data, but also eKRÉTA Zrt.'s internal databases, in some respects they can also be data controllers in the matter, but we are now focusing on KRÉTA, which is more important from the point of view of public interest.) According to the law, therefore, eKRÉTA Zrt.- does not have a direct notification obligation to the NAIH regarding the KRÉTA system, but it does have a notification obligation to the data management institutions.
"The data processor has little direct responsibility under the GDPR. But one of them is to meet the data security requirements during its operation, which it develops based on the product it offers. Therefore, the data processor is directly responsible for properly establishing and complying with these, NAIH can hold them accountable for this," data protection expert Krisztina Ivanics told Telex.
In case of violation, the maximum fine that can be imposed on the data processor can be 4 percent of the annual sales revenue or 20 million euros (whichever is higher). As we wrote in our previous article, eKRÉTA Zrt.'s annual net sales in 2021 were HUF 12 billion, according to the company database. It is important that this is only the maximum, the authority considers each case, and "when the NAIH determines the gravity of the violation, it can also take into account the failure to notify as a fine-increasing item," said Krisztina Ivanics.
Before the publication of our first article, we contacted the NAIH, and their reply revealed that "the Authority has not received a notification of a data protection incident involving the KRÉTA public education system or eKRÉTA Zrt.". However, an investigation can be started even without it: "The NAIH does not necessarily have to wait for a notification, in order to be able to take action, it can start on its own. As an authority, you have room for maneuver: you can not only request contracts and declarations, but also send specialists to view the systems, look into the log files, request reports, etc. So he has many tools to act if he wants to," Krisztina Ivanics noted.
This happened in the meantime: after the publication of our first article, we contacted the NAIH again to see if they planned to launch an investigation into the matter in the light of the information that had been made public.
"Regarding your request, I would like to inform you that the National Data Protection and Freedom of Information Authority has initiated proceedings in the case ex officio. The Authority will not provide further information until the procedure is concluded"
Attila Péterfalvi, president of NAIH, answered our inquiry .
Earlier, the police responded to our inquiry that no criminal proceedings had been initiated in the case, but this may change: after our article, István Tényi filed a report against an unknown perpetrator on suspicion of a crime of information system or data violation.
