Kevin Mitnick 101: How Heartland Leaker Got Confidential Documents

I'm surprised that the Internet security aspects of the Heartland Institute document leak haven't gotten more attention. There's a good lesson here.

The person who received the documents, Peter Gleick, an environmental scientist and MacArthur genius grant winner, used social engineering to get them. His technique was Kevin Mitnick 101.

Quick background: Gleick frequently speaks out on the dangers of climate change. The Heartland Institute is a center for climate change skepticism.

Last week, Heartland’s budget and its list of donors was released and published. The material includes a list of all of Heartland’s employees and their salaries over the years. More important to the climate change issue, was Heartland’s list of donors, which included many large companies.

They had to be Heartland’s most confidential documents.

This week Gleick acknowledged that he was the one who got the documents. Of his role, he wrote: "In a serious lapse of my own and professional judgment and ethics, I solicited and received additional materials directly from the Heartland Institute under someone else's name."

Gleick got that material by reportedly creating an email account for a board member and then claiming it was a new email account. (See The Atlantic’s Megan McArdle.)

On the basis of this email, someone at Heartland emailed Gleick the organization's budget and its list of donors.

No one expects a group of Heartland's size to have stellar, financial services-level, security practices. It's a small business. But what Gleick accomplished, and so easily, is a good illustration of just how effective social engineering can be in gaining trust and breaching security.

Shop ▾
arrow up Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Subscribe to the Security Watch Newsletter