Hackers Issue Bogus Amber Alert

Hackers broke into the state of Iowa's Amber Alert website and issued a bogus alert over the weekend.

Attacking from an offshore computer, the hackers found a bug in the Web application used to manage the Amber Alerts. They then re-issued a February 2009 alert on Saturday, but quickly rescinded the alert within about five minutes, according to spokespeople for Iowa state agencies.

The incident is being investigated, said Robert Bailey, a spokesman for Iowa's Department of Administrative Services. "It doesn't appear that any confidential information such as Social Security numbers were exposed, but they're still doing forensics on it," he said.

The Amber Alert website is one of two websites that were hacked by the attackers. The other is Iowa's Accident Report website, used to provide the public with basic information on motor vehicle accidents within the state.

The incident was not particularly disruptive -- only one media organization called to follow up on the Amber Alert -- but it has kept the websites offline for four days now as the state investigates the attacks.

The vulnerability leveraged to break into the server was in a Web-based application built by Iowa Interactive, a subsidiary of e-government service provider NIC, Bailey said. The state server that hosted this NIC application was not compromised by the hack, he added.

The Amber Alert application was "custom-built for the state of Iowa by one of our subsidiaries, Iowa Interactive," said NIC spokeswoman Angela Skinner in an e-mail. "Iowa Interactive continues to work on this incident in conjunction with the Iowa Department of Administrative Services and the Iowa Department of Public Safety," she added. "Their goal is to get the application up-and-running as quickly as possible, and to work on a solution to prevent future incidents."

Skinner declined to say whether other NIC applications had been hit via similar Web attacks. The company counts more than 3,000 state, local and federal government agencies as clients, including the U.S. Department of Transportation and the Federal Election Commission. Last year it processed more than US$11.4 billion in secure payments.

Even with its website down, the state still has ways to get its Amber Alert messages out to the public, the state's Department of Public Safety said in a statement. Amber Alerts can still be circulated via the National Weather Service, the Emergency Alert Service and the media.

This isn't the first time that there's been trouble for Iowa's Amber Alert system. In 2009, Iowa was one of several states to be hit with a rash of fake Amber Alert warnings. It became such a big problem that earlier this year, Iowa's Department of Protective Services issued a public warning.

There is no word on when service to the two websites will be restored.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Subscribe to the Business Brief Newsletter

Comments