The Russian Visa Center in the U.S. was reportedly targeted over the holiday weekend by a massive hack claimed by an individual who said he did it just show how weak the system's security was. The individual, who goes by Kapustkiy on Twitter and said he was 17-years-old and from Russia, told International Business Times he considered himself a "Grey Hat Hacker" or someone who would not make people's personal information public, but was willing to leak it to the company itself to prove his point.
The breach could reportedly affect thousands of U.S. citizens who applied for Russian visas and whose personal information including names, E-mail addresses and phone numberes were stored in the database. The Russian Visa Center, managed by a contractor called Invista Logistics Services (ILS), has offices in Washington, New York, Seattle, San Fransico and Houston. The teenager said he noticed errors in the database's coding language back in 2014 and attempted to contact the company back then.
"No one did something so I decided to do it. They just ignored E-mails and I wanted them to fix it as quick as possible. I had to do it this way to let them understand it," Kapustkiy told International Business Times over Twitter. "And the craziest thing about this is that the admin didn't even take his website offline to fix the errors."
Kapustkiy said he did not target the center for any other reason than the glaring errors he noticed in its Structured Query Language, or SQL, and that other Russian visa centers were protected against a SQL injection, or SQLi, by which a user can gain access to a database and bypass its security controls. Acunetix, a web application security scanner, calls SQL vulnerability "one of the oldest, most prevalent and most dangerous of web application vulnerabilities."
Kapustkiy said he has been hacking since he was 13 years old, but could teach a six-year-old to use the kind of tools he did to gain access to the center's database. International Business Times was unable to reach Russian Visa Center over the phone, but the center's lawyer John Shoreman told BuzzFeed News Monday that the hack actually targeted the center's calendar.
“The security services are saying that the visa website itself was not hacked, but the calendar may very well be the subject of a hacking,” Shoreman told BuzzFeed News. “ILS shares a calendar of appointments with the consulate office of the Russian embassy and apparently that’s where these 3,000 names came from, it came from a calendar of appointments.”
Shoreman also reportedly confirmed that personal information of several individuals shared by Kapustkiy with BuzzFeed News was genuine and that the Russia Visa Center would likely contact its customers within the next 48 hours in regards to the breach.