Italy’s Hacking Team, which sells surveillance software, found itself the victim of hacking after it was hit by a data breach on Monday.
Hackers said they had penetrated Hacking Team’s internal network and stolen more than 400Gb of data. The controversial Milan-based firm’s Twitter account was hijacked on Monday and used by hackers to release the company’s documents, email correspondence, employee passwords and the underlying source code of its products.
The stolen data includes a list of the countries that have bought Hacking Team’s main surveillance tool, Da Vinci, and emails suggesting intelligence agencies use it to spy on activists and journalists - including those of Egypt, Russia and Saudi Arabia. After taking over Hacking Team’s Twitter account, the hackers changed its name to Hacked Team and said: “Since we have nothing to hide, we’re publishing all our emails, files and source code.”
Christian Pozzi, engineer at Hacking Team, confirmed the breach on his own Twitter account. “We are awake. The people responsible for this will be arrested. We are working with the police at the moment,” he wrote, but the tweets were subsequently deleted, as was his account. Company spokesman Eric Rabe confirmed the breach, adding that law enforcement will investigate the illegal taking of proprietary company property.
The snooping company describes itself as a maker of lawful interception software used by police and intelligence services worldwide, but it has been accused by anti-surveillance campaigners of selling tools to governments with poor human rights records. Human rights group Reporters Without Borders named the firm as one of its “enemies of the internet”.
Among the documents published was a spreadsheet that purports to show the company’s active and inactive clients at the end of 2014 and included police agencies in several European countries, the US Drug Enforcement Administration and police and state security organisations in countries with records of human rights abuses such as Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Saudi Arabia and Sudan.
Hacking Team did not dispute the veracity of any of the documents, though it said some reports that claimed to be based on them contained misstatements. It said it would not identify any customers because of binding confidentiality agreements.