When TheDarkOverlord hacked Channel Ship Services, they not only acquired personal data that could be misused for fraud, but they claim they also acquired information that can jeopardize maritime security.
According to Jersey-based Channel Ship Services’ website, CSS Limited provides highly qualified permanent and contract specialist personnel to the global offshore industry. Those personnel have recently had some of their personal data hacked by the hacker(s) known as TheDarkOverlord (TDO).
As anyone who has followed TheDarkOverlord’s criminal activities for the last 2+ years knows, TDO does not take kindly to having their “requests” ignored or refused. From the fact that this site is reporting on the breach, one can infer that CSS did not cooperate with TDO.
TDO did not provide DataBreaches.net with copies of any of the communications between them and CSS, so DataBreaches.net does not know the amount of any request TDO may have made, although a tweet on November 18 from TDO’s currently-suspended Twitter account suggested that a monetary request had, indeed, been made:
Although copies of communications were not provided to DataBreaches.net, TDO did provide this site with a small sample of the files they had acquired. Those files included seafarer agreements and contracts that would specify the contractor’s name, their passport number (in some cases), the wage rate that they would be paid, and other contractual provisions.
Other data acquired by TDO and provided to this site included a spreadsheet with client information, including the company name, and the name, email address, position, and telephone number of the contact person at the client’s company. While the data by themselves do not appear sensitive, it would certainly be useful information for anyone trying to socially engineer information or to set up a business email compromise or phishing attack.
As their site explains, CSS provides a range of services, including Seismic, Land Rig, Land, Maritime, Survey, Subsea/ROV, Geotechnical, Environmental, Renewable Energy, SMSS Group, and Medics. Of particular note, CSS also advertises that it provides maritime security:
MDS is the maritime security division of CSS Limited.Our Ship Security Consultants (SSC) are senior former military personnel (HM Royal Marines) and are available to respond to any security threat to the offshore maritime industry, particularly in the Gulf of Aden, the east coast of Africa and into the Indian Ocean. Somali based Piracy has reduced significantly over recent years and now seems to be limited to occasional reported approaches and un-confirmed sightings. With BMP4, the industry guidelines, proving to be almost 100% effective, our Security Analysts have re-assessed the current threat and how it can be approached and managed both with and without the use of firearms. Operational effectiveness is enhanced by full and willing participation from the vessels crew. MDS will provide highly skilled consultants who will utilize the experience and knowledge of protection methods gained throughout their maritime career and will embark a client’s vessel as ‘Ship Security Consultants’, to plan, train and advise the Master, ensuring the vessel steams safely through areas of Piracy. Our team is very conversant with all the high risk areas. CSS Limited / MDS only deploy operatives with a minimum of 5 years’ experience, often as Team Leader, who have conducted over 30 transits. MDS are committed to providing highly qualified Ships Security Consultants for a multitude of tasks, with 24 hours support from our Jersey based Operations team and for further information, please contact us at: [email protected]
DataBreaches.net asked TDO if any of the files they acquired appeared to contain sensitive or classified maritime security information. A spokesperson for TDO responded:
We’ve stolen everything they’ve ever had, and indeed we have information about staffing and routes for armed security for certain maritime vessels. Very sensitive information detailing TTPs [Tactics, Techniques, and Procedures] and the navigation routes. Information pirates would thoroughly enjoy, and we’re currently looking down avenues of having some maritime vessel crews taken hostage. Surely, CSS would pay us then.
It is hard to believe that TDO would go quite that far, but this is certainly not the first time that they have indicated a willingness to arrange to have people harmed.
Because this blogger has no expertise in GDPR, DataBreaches.net does not know whether notification of this incident would be required under GDPR or any other laws. DataBreaches.net has sent two e-mails to CSS over the past days seeking their response to certain questions about this hack. Neither e-mail received a reply. An attempt to contact CSS via their Twitter team also failed to get a response.
DataBreaches also sent an e-mail to the Office of the Information Commissioner for Jersey to ask whether this breach had been reported to their office, and in other correspondence, attempted to contact a U.S. resident who contracted as an environmental researcher working on the Fugro Discovery to find out if CSS had notified her of the hack.
No replies have been received from the OIC or the environmentalist.
This post may be updated if more information becomes available. But in any event, if TDO has developed a special focus on Professional Employer Organizations (PEOs), which is what they tell me and which is what the Prime Staff Inc. and CSS hacks indicate, other firms in that sector should be taking extra security precautions these days.
Update: In response to an inquiry from this site to the OIC of Jersey, a spokesperson explained that under their laws, they cannot comment on any case until after an investigation is completed, but the spokesperson also wrote:
I can confirm that we have made contact with the local organisation and are awaiting a response from them. We can therefore confirm that we are looking into the matter. However, as already stated we cannot make any further comment with regard to ongoing matters, not least because at this stage we do not know the full facts.
So eventually, we will have some determination from that regulator as to whether notification is needed for this situation.