Last Saturday, we began reporting on a security breach at French anti-piracy company Trident Media Guard (TMG). The company had been entrusted by the French government to carry out monitoring of file-sharing networks in pursuit of their nationwide anti-piracy program.
Blogger and security researcher Olivier Laurelli, aka Bluetouff, told us that a TMG virtual machine had been leaking data, including security tools and, according to a later report by news resource Numerama, IP-addresses of French citizens.
Naturally the revelations generated controversy, with the Hadopi agency announcing that they had suspended electronic connections with TMG and had resorted to shifting file-sharing monitoring data around on DVD instead.
As the pressure mounted on TMG, in the middle of the week they called in Commission Nationale de l’informatique et des Libertés (CNIL) to investigate the security issue. CNIL is the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data,
Then yesterday, Telecom Paper reported that TMG would sue the person responsible for finding the security flaw, but adding that it would be unusual for the French courts to prosecute people who expose lax security as doing so is deemed to be in the public interest.
TMG’s position, however, is slightly more awkward than that.
After first trying to play the situation up, using language such as “we have been the victim of data theft”, TMG followed up with claims that the exposed information was in fact nothing to do with their main systems. Furthermore, the server from which it came allegedly carried no live end-user data and was in fact a mere test machine. According to a source quoted by PCInpact, this is why TMG left it unprotected.
So on what basis would TMG sue Bluetouff? TorrentFreak asked him.
“TMG first said to the press it was an unprotected test server with no confidential data, and that there was no hack. So I’m really wondering on what basis they could attack,” he explained.
“I guess they need to sue someone because of insurance stuff or just to avoid admitting their own fail. So just wait and see but I’m quite sure they won’t sue.”
Bluetouff then reminded us of the security flaw he discovered in software developed by ISP Orange, which inadvertently leaked users’ IP addresses as it tried to block file-sharing.
“Orange had the same reaction, to send me lawyers first over their splendid ‘hadopiware’. Then they tried to understand what happened and who is guilty of what afterwards,” he explained.
Then within minutes we had another message from Bluetouff. “Wow, that was fast,” he said.
As predicted, TMG had announced that they won’t sue after all, unless they find evidence of “a formal intrusion”, something which presumably won’t be possible on a server they left deliberately open.
Time will tell what conclusions the CNIL data inspectors will draw from the episode. Their report is forthcoming.