By John Donovan: Printed below is current email correspondence with the Open Security Foundation DataLossDB project, which had seen reports posted on the Internet that this website had been hacked by the “Brazilian Electronic Army”. The claims were false. Like the Brazilian Electronic Army, the Open Security Foundation seems to be under the impression that we are Royal Dutch Shell Plc.
EMAIL RECEIVED FROM THE OPEN SECURITY FOUNDATION
Dear Royal Dutch Shell PLC,
I am a researcher for the Open Security Foundation DataLossDB project, a project that tracks and compiles reported data breaches.
We have seen a report or claim that your organization recently suffered a data breach. The report was published at http://pastebin.com/FT5yNBfB and http://www.cyberwarnews.info/2013/04/06/royal-dutch-shell-blog-hacked-administrator-accounts-leaked/. The summary of the report we currently have is as follows: 63 Administrator accounts with email addresses and encrypted passwords dumped on the Internet. The report indicates that the datatype(s) of email addresses and passwords were involved.
This incident is scheduled to be entered in our database in 5 business days from today, unless we have reason to believe it is a false or otherwise inaccurate claim.
If the reported incident is a true report could you please provide us with as much information as possible so that we can accurately report this. Such as:
(a) How many people had their information compromised?
(b) What types of data were involved – names, Social Security numbers, credit card numbers, health data, etc.?
(c) Have those affected been notified or do you intend to notify them? If the latter, how and when?
(d) How did the breach occur (if you know that at this time)? Were the data acquired by a hacker, or did an employee fall for a phishing e-mail, etc.?
(e) Has the incident been reported to law enforcement? If so, when?
If you believe that the reported incident is a false report, please contact us immediately with a statement explaining why or how you know it to be false. In your statement, please indicate whether any publicly posted data (such as email addresses, passwords, etc.) were ever in any of your databases.
If the incident is added to the database and you subsequently wish to have the entry updated, please contact us with a description of any corrections or updates to the entry and your basis for requesting the change.
Please direct all responses to [email protected]. Thank you and we look forward to your prompt response.
Open Security Foundation / DataLossDB Project
RESPONSE EMAIL FROM JOHN DONOVAN
HACKING CLAIMS MADE BY THE SO-CALLED “BRAZILIAN ELECTRONIC ARMY”
This matter is surrounded by a degree of confusion.
Like the so-called Brazilian Electronic Army, you appear to be believe that we are Royal Dutch Shell Plc (the nasty greedy oil giant).
In fact we are Royal Dutch Shell Plc .com, an independent, entirely non-commercial website, that monitors the activities of Shell.
We own the domain name as a result of a blunder by Shell, which merged the former Anglo-Dutch arms of the group into a single company – Royal Dutch Shell Plc – following a securities fraud that ruined the reputation of the former companies. Shell forgot to register the top level domain name for the new company and found out to their horror that we had already done so. Shell issued proceedings in an attempt to seize the domain name, but that turned out to be another PR blunder, since they lost the case.
The Brazilian Electronic Army claims to have hacked our website as a protest against Shell activities in Brazil – something to do with a fuel strike?
So we have anti-Shell protestors attacking (what has been described as) an anti-Shell website.
The only information that is accurate in the various claims made is the name of our server hosting company and the location of the server. That information is openly available on the Internet.
ALL OF THE OTHER INFORMATION IS ENTIRELY FALSE. OUR WEBSITE HAS NOT BEEN HACKED. THE CLAIMED LEAKED EMAILS AND “MD HASHES” ARE MADE UP NONSENSE. NO PASSWORDS HAVE BEEN OBTAINED.
Our website HAS BEEN the subject of regular non-hacking attacks for some years, frequently on a 24/7 basis. That activity has been reported to the UK police. It has never involved the theft or loss of any data. The website has also been the subject of a global espionage operation by Shell trying to trace who visits our site from Shell premises and/or posts insider information on it. In that regard, Shell spooks enlisted the services of the U.S.National Cyber-Forensics & Training Alliance – a specialist organisation located in Pittsburgh, partly staffed and funded by the FBI. Shell did once succeed in a covert action, which briefly closed the website down.
Dealing with your points:
a. No one has had their information compromised.
b. No data loss was involved.
c. Does not arise.
d. Never happened.
e. Not necessary, since no hacking occurred.
Royal Dutch Shell Plc did have a major problem with a Database leak of contact information for 177,000 Shell employees and contractors. The database was leaked to us by Shell employees. Shell accepted that the information in our possession was authentic. After high level discussions with Shell, we destroyed the database because we did not want to put the safety of Shell staff at risk.