Serious Data Leak Puts National Security in Jeopardy

The Liberty Times reported a serious security leak of the government (外交部員工電郵密碼 Google全都露), in which the private data (names, email addresses and passwords) of more than 2000 personnel of the Ministry of Foreign Affairs (MOFA) was exposed, including those of former and current ministers of MOFA, Francisco Ou (歐鴻鍊) and Timothy Yang (楊進添), respectively.

The leak was discovered accidentally by a netter when he/she was searching some info with Google and found a document containing all the data mentioned above. The document, with a substring "MOFA" in its filename, is stored on the FTP server of a company, 新寶網通公司, which is responsible for the internet service and security of MOFA.

The report is followed by a blame game: MOFA claimed that it's 新寶網通's fault. 新寶網通 claimed that it must be (that means, they don't know) some hacker(s) hacked into their server and opened it up to the public, otherwise it wouldn't have been accessible through Google (業者說明外交部信箱帳密外洩：備份伺服器被駭).

A side-note here: the document could also be public accessible if the company forgot to set the settings of access privilege of that file. Blaming it to unidentified hackers might make a internet-security company look less guilty. Incompetent, maybe.

This is not the first time the government data was leaked. In May, 2008, tax-payers' private data submitted to Ministry of Finance (財政部) for tax return was exposed (政府不設防 報稅資料也曾外洩). MOF blamed that to tax-payers, saying that some commonly used P2P softwares that users had on their computers caused that leak.

That leak was certainly less damaging than the current one that opened up a channel to national secrets.

Both MOFA and 新寶網通 claimed that the leaked emails and passwords were 5~6-year old and were no longer valid, so there's no security problem.

However, the data exposed contains that of both ministers served under Ma Ying-jeou's goverment (that is, within the past 3 years), but not that of former ministers served under Chen Shui-bian's government (廠商︰被搜到是六年前舊資料).

It's obvious that both MOFA and 新寶網通 are lying.

More crucially, evidence provided by journalists showed that people were still able to use some of the leaked data to login to MOFA's system until Aug. 26th, which was 5 days ago.

In response, 新寶網通 says that they don't know why.

Yea, who would have known ? The imagined hackers shouldn't have targeted them in the first place.

How long that data has been leaking? How many users hackers have already made use of that data to sneak into the MOFA internal system? When and how many secret documents fall into outsiders' hands? And to what extent the national security has been jeopardized ?

Since MOFA doesn't want to face the fact that the login data was still valid 5 days ago, should we assume they already determined that there's no need to consider possible security breaks and the case will be closed soon ? After all, we will all feel safe as long as we pretend this never happened.