14 DAY TRIAL // Cybercriminals have managed to hack into an online platform used for buying and selling guns, creating a database of 111,000 entries, some of which containing information about the CRM used by gun shops across the UK, according to The Register.
Guntrader is a platform very much like Gumtree where private individuals post ads on the Internet along with their contact information so that potential buyers can get in touch. The breach of Guntrader earlier this week showed an SQL database running the online platform Guntrader.uk and its registered electronic gun shop product, consisting of around 111,000 users dating from 2016 to July 17.
The database contains users' names, mobile phone numbers, email addresses, as well as geo-location data. The stolen database also contained information such as IP addresses of users, postal addresses, zip codes, phone or fax numbers, bcrypt-hashed passwords, the police agency that issued an RFD's certificate, latitude and longitude data, and full names.
In case you're wondering, the information had to be recorded by Guntrader in order to comply with UK firearms regulations. This represents a serious breach of privacy not only for the business but also for its users, the members of the UK licensed firearms community.
Cybercriminals were successful in stealing sensitive user information
Gun shops, referred to as Firearms Dealers or RFDs in the United Kingdom, can generally take advantage of Guntrader's integrated gun recording solution. The platform is advertised as offering daily backups and end-to-end encryption, among other benefits.
The payment logs were also provided with an explanation by Barratt of Coalfire that while no credit card information was provided, the payment data tables contained what appeared to be an SHA -256 hacked string. Other payment information was limited to the prices displayed on the website for rifles and shotguns.
Reports on shooting sports sites suggested that Guntrader was blaming an iframe as an access point on a customer's website. The British Shooting Sports Council and the National Rifle Association have been informed of the data breach.