ELTA had been warned of security risks a year before cyberattack, report shows
A year before the 2022 cyberattack on Hellenic Post (ELTA), which resulted in the data leak of millions of citizens on the dark web, an internal investigation into ELTA’s computer systems had warned of a high risk of infiltration.
Among its findings were significant security flaws, the usage of antiquated software, and inadequate employee training. It appeared that the strike was inevitable.
The Personal Data Protection Authority (DPA) fined ELTA 2.9 million euros in February of last year. The Authority estimates state that four to five million people were impacted.
The worst-case scenario came true in March 2022.
The “Vice Society” gang of cyber extortionists struck ELTA, paralyzed part of its network for days and leaked data of millions of citizens on the dark web. On May 4, a few weeks after the attack on ELTA, the hackers posted files they had intercepted on the dark web.
These included, among other things, company and employee financial data, board minutes, personal file and customer photos, an OGA pensioners list, responsible declarations and authorizations, customer and supplier data.
In a sample check of the leaked files, Kathimerini also found driver’s license photos that had apparently been stored on a computer.
A 27-page study on the vulnerabilities of ELTA’s electronic systems, dated April 20, 2021 stated that “more than 80% are running outdated, noncompliant supported and vulnerable versions of applications and operating systems, with minor exceptions.”
This condition created the “risk of data interception, data distortion or even data insufficiency.”
The DPA was initially informed by ELTA of the cyberattack on March 22, 2023, while it was informed of the data leak on July 27 of the same year.
As for the passwords used at ELTA, the researchers had discovered that many users shared common passwords, or in certain instances, simple codes.
Regarding the administrators’ passwords, they noted some shared admin accounts, where the password was known to more than one person.
