Staying safe online
These days, it is almost impossible to live life “off grid”, unconnected to the Internet. Many essential services require you to interact with online systems, from “Making Tax Digital” to renewing your NSRA membership. Even when there is an alternative paper- or phone-based system, your details will probably end up in an online database sooner or later anyway. Internet-connected databases are constantly being probed by automated programs looking for vulnerabilities that can be exploited. A whole new business of Information Security (InfoSec) has arisen to address and minimise the risks posed by these attacks, and it is thankfully very rare for the security around a database to be breached. However, when it does happen, the consequences can be severe.
This article looks at some of those risks from the point of view of a firearms owner and offers some advice about how to protect your data.
The Guntrader Data Breach
Guntrader is an online marketplace for new & used shotguns, rifles and shooting equipment. It also has its own electronic gun register software used by UK Registered Firearms Dealers (RFDs).
On 17th July 2021, around 112,000 people that had registered on Guntrader’s website between 2016 and 2021 had their details stored in a database that was stolen. The data was subsequently published on the dark web and included user’s real names, email addresses, phone numbers and geolocation data. It is thought that payment card details and details of firearms were not accessed.
In the last week of August, someone claiming to be an animal rights activist reformatted the stolen data to make it much easier to view on Google Earth. This list was published on the activist’s blog, making it much easier to access. Many copies are now in circulation, almost all of them laced with viruses and other malware so please DON’T try to find or download it!
Are you affected?
If you have used the Guntrader website in the last 5 to 6 years, you may well be affected by this data breach. Guntrader has contacted everyone they think is affected, but if the contact details they hold are out of date it is possible that some people will not have received this. The safest and best way to tell if you are affected is to use the free service “Have I Been Pwned”. By entering your email address or mobile phone number, this site will notify you of any data breaches that contained your details, and what information might have been included. Also note that if you have moved, the current occupants of the address registered with Guntrader might also be at risk.
OK, so you have confirmed that your details are among those stolen and published. First, don’t panic! Contact Guntrader to see what advice and assistance they can offer. The big risk here is the availability of geolocation data (ie where you live). The genie is out of the bottle, so to speak, and there is nothing you can do about that. What you can do is make sure your security arrangements at home are as good as they can be. Obviously, make sure your guns and ammunition are locked up at all times when not in use and your keys are stored safely. It might be worth considering whether you can keep ammunition and the bolt of your rifle securely at your club (with permission, of course).
Dos and Don’ts
- Check www.haveibeenpwned.com
- Change your password
- Review your home security arrangements
- Consider getting an alarm and CCTV installed
- Be vigilant when leaving/returning to your home in case it is being watched
- Contact the police if you think you are in imminent danger
- Consider storing ammunition and your bolt or action at your club (if allowed)
- Try to download the stolen data file
- Ignore this data breach!
General advice for staying safe online
Think about what information you share online or offline – those details could find their way online without you being involved!
The internet makes it very easy to link pieces of data from different sources, providing a more complete picture than you imagined.
Keep your computer operating system and other programs updated with the latest security patches. If you have software on your computer that you no longer use or need, uninstall it. If a piece of software has reached its “end of life” and is no longer receiving security patches, it is time to upgrade or switch to using a different program.
Keeping your computer free of malware is not only protecting you directly, but also helping to reduce the attacks on online databases. Compromised personal computers are often used by the criminals to launch attacks on servers.
Be wary of unsolicited emails, texts and phone calls. If a message invites you to click on a link to login to “their” website, don’t – use an independent route (like a browser bookmark) to get to the site.
Use two-factor authentication where that is available
Two-factor Authentication means that the site will, for example, send you a text containing a code you need to enter to the website to complete the login operation
Choose strong passwords
That means long combinations of upper- and lower-case letters, numbers and other characters. Try to use passwords that are at least 16 characters long. Do not use words that could easily be guessed or looked up in a dictionary. Replacing some letters of a word with numbers that look similar (e.g. 5 for s, 3 for e, 0 for o, etc. does not make your password significantly stronger. Hackers know people do this!
DO NOT RE-USE PASSWORDS ON MORE THAN ONE ACCOUNT!!
If you do, and one site is hacked, the criminals will be able to access any other accounts using the same credentials. When one site is hacked, you will need to change the password on all sites where you have used the same password.
- Use two-factor authentication where that is available
How can I remember all these different and un-memorable passwords, you ask yourself? Well, you don’t have to. There are a number of password manager applications available, both cloud-based and residing on your computer, and some are free. They will store your passwords for you and help to generate long, strong passwords for you.
Using a password manager program is probably the single best thing you can do to protect your online accounts.
Pay special attention to your email account. If a hacker gains access to that, he will be able to intercept any security warnings or password reset checks that are sent to you.
Other steps to protect yourself online can be found at:
Considerations for FAC holders
Firearms are attractive to criminals. Whilst a smallbore target rifle will be of little use in crime, thieves aren’t to know what firearms are in any particular property. Targeted robberies and burglaries to steal firearms and shotguns, while unusual, are certainly not unknown. Police have previously issued warnings to the licensed firearms community emphasising personal safety after a spate of robberies targeting licensed firearms owners outside their homes and at rifle ranges. The Guntrader breach could lead to a spate of such crimes.
All firearms security begins with obscurity. It is very difficult for criminals to target firearms owners if they don’t know who they are. The Guntrader breach takes away that obscurity for about 20 per cent of the registered.
Finally, a quote from an email Guntrader sent to one victim of the data breach when asked about the data breach:-
We do not foresee any risk of physical harm as a result of this Incident. We have been in discussions with the police regarding the attack and any risk of theft of firearms individuals may face. We have been advised that this is highly unlikely as criminals rarely target residential properties to steal firearms. The majority of firearms in the criminal network are illegally imported from Eastern Europe and a very small number of firearms are stolen from properties annually. This incident does not increase the risk of this, especially for those customers for whom no street level address was included in the stolen data (i.e. the location of the firearms are unknown).
In keeping with this assessment, we are aware that Lancashire Police has sent a communication to affected individuals in Lancashire. They confirmed that:
- the leaked data was no longer available on the web; and,
- the investigation to date has not highlighted any increased risk to any specific individual exposed by the incident;
We therefore consider physical harm linked to burglary or otherwise being targeted as extremely remote.
In the circumstances we do not consider there to be any rational reason for concern.