A few days after a report on cybersecurity was published by INSA, the website Cryptome.org received the 3,000-strong INSA membership list, which includes names, addresses, and contact information of many in the US intelligence community.
The list of INSA members, published by Cryptome under the title “INSA Net of Official and Corporate Spies”, includes officials from top defense firms, as well as the National Security Agency, the White House, the Pentagon, the FBI, the CIA, the Office of Director of National Intelligence, and the State Department. A number of the names were subsequently removed by Cryptome in response to removal requests by individual members.
"I guess I feel like anybody else this happens to – like I was violated," INSA president Ellen McCarthy, a former top Pentagon intelligence official, told NBC News.
John Young, a national security buff who runs Cryptome, told Infosecurity that his group did not hack into INSA’s system to get the list. In fact, the list was sent to the group anonymously. “Cryptome did not hack the site. We don’t have that capability. We are a publisher, not a technical group”, he said.
Young questioned whether INSA had in fact been hacked. He said the membership list disclosure was a result of poor information security practices on the part of INSA. “Accusations of hacking seem to be used as a form of exculpation of people who have not provided adequate security for material they are in charge of”, he opined.
A spokesperson for INSA told Infosecurity that “Cryptome knowingly published information that was not for public distribution. Exactly how it was obtained or if that constituted a ‘hack’ is simply semantics from our perspective.”
Cryptome has been in operation since 1996. According to its website, “Cryptome welcomes documents for publication that are prohibited by governments worldwide in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance – open, secret and classified documents – but not limited to those.”
Editor’s note: A previously published version of this story indicated that Cryptome had hacked into INSA’s information systems to obtain the list, based on a misreading of a story by NBC News. The story, however, did not directly link Cryptome with the hack. It did cite INSA president Ellen McCarthy as confirming that INSA’s systems were hacked and that the list was published by Cryptome. This original article has now been updated, and we apologize for this error.