City firms wide open to drive-by hacks

The number of IT directors in the City installing wireless networks is on the up - but worryingly, they are failing to secure them properly and are leaving their employers open to 'drive-by' hacks.

The Institute of Information Security (Instis) sent a researcher with a laptop and a wireless network card around London's financial district and was able to get access to dozens of private networks.

Instis conducted a similar exercise in December 2001, and found that 65 per cent of 119 wireless networks were unencrypted then. That compares with 71 per cent of 185 networks last month.

This 50 per cent increase leaves 131 networks freely accessible by hackers.

Dr Richard Sykes, chairman of Morgan Chambers, said: "This is terrifying data. It shows a determined hacker seeking to access information and put a company at a disadvantage can do it. This strengthens the warning that IT directors need to be alert."

He added: "What makes these results more fearsomely horrible is that the one place in the UK where you would expect IT directors to be on the ball is the City of London."

IT directors are liable for prosecution if a wireless local area network they are responsible for is hacked into and private information is stolen.

Jonathan Armstrong, senior associate at law firm Eversheds, claimed that IT directors have no excuse for not thoroughly securing a wireless network based on the 802.11b standard because the mass of information available means no one can plead ignorance.

Armstrong said: "IT directors are liable to prosecution. The seventh principle of the Data Protection Act essentially says IT directors have to keep personal data secure. Anyone whose personal data is leaked across a network can sue because security breaches have been so well reported the door has closed on the innocence defence of 'no-one said it was insecure'."

Sykes added: "IT directors must take responsibility for network security and adherence to data protection laws. After all, the reason companies hire IT directors is to make someone clearly responsible for security."

BT Group intends to roll out 4,000 wireless 'hotspots' by 2005 but it is not bothered about 802.11b's reputation. A spokeswoman said: "We are sure that our product is 100 per cent not hackable."

A spokeswoman from the Information Commissioners Office said IT directors could be sued for damages and compensation privately in court or an individual could ask the Commissioner to investigate security at a company.