14 DAY TRIAL // A hacker considered that the fine G2 Secure Staff had to pay to an individual as a result of a discrimination lawsuit wasn’t enough, so he breached their poorly secured databases, leaking administrator log-ins and employee records.
G2Secure Staff, a company that provides a wide range of aviation staffing and security solutions, was called to court by the U.S. Equal Employment Opportunity Commission (EEOC) for an incident in May 2010, when they denied a man who suffered a renal disease the opportunity to take a job application drug test by other means than with a urine sample.
The man completed all the requirements except for the urine test, which he could not provide due to his illness. When the EEOC found out about the situation, they filed a lawsuit against G2Secure, who was sentenced in court to pay $30,000 (21,000 EUR) and additional damages to the individual involved.
After hearing about the incident, the hacker known as Kahuna decided the ruling wasn’t severe enough for the organization, so he hacked into their website to punish them more. At the same time, he wanted to show that not even those who provide security are better protected.
“I found this to be ridiculous, that they would do something like this, so then I decided I would take a look at their site. Not a bad target if this is how they act as a company, with such little ethics,” the hacker told me.
“So I looked at their site and checked to see if I could find any vulnerabilities. After a perfunctory search, I found an SQL injection vulnerability in their services tab page, located linked off their homepage.”
The databases he found contained 63 administrative and executive e-mail addresses, passwords (not in clear text), names and access levels. Names, email addresses, addresses, and phone numbers belonging to more than 8,000 of their employees were also stored in the databases.
“At that point, I pulled the full database and leaked out the info that was most damaging to them to have hacked,” Kahuna added.
“I think this just goes to show further that companies can choose to be corrupt, and can choose to act unethically, but that doesn’t mean people won’t notice, and that just paying a settlement may not always be the only punishment. Especially when they have security issues on their site and choose to also include their employee records in the same database”