My next class:
Red Team Operations and Adversary EmulationParisSep 16th - Sep 21st 2024

Health database breached

Published: 2009-05-05. Last Updated: 2009-05-05 19:04:50 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

The wikileaks.org web site, which is a pretty famous repository of "leaked" documents that were never supposed to see light, is reporting about a supposedly large security breach of the Virginia Prescription Monitoring Program (VPMP). According to the web site and other sources around the web, the web site was defaced by an unknown hacker that left a ransom note asking for 10 million US$ in order to return the data.

According to the hacker, he acquired records on more than 8 million patients. The records include prescription data as well as patient's name, age, address, SSN and drivers license number.

Now, while this all has not been verified, there are couple of things we can already see. First of all, the hacker definitely managed to compromise the web site because the front end web page was modified. According to the message left by the hacker, he also deleted the backups (now, this raises some eyebrows, doesn't it?).

If this all is correct, it indicates that several protection layers failed at the VPMP. Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to backup the data or read it – only the backup administrator should be able to delete the backups.

We'll see how things will develop here and update the diary if we get more information.
 

Keywords: breach health ransom
2 comment(s)
My next class:
Red Team Operations and Adversary EmulationParisSep 16th - Sep 21st 2024

Comments

Not to mention that any backup that is accessible electronically is not an "end-of-the-world" backup. There should always be off-site backups, and there should always be air-gapped backups (i.e. a backup tape that is sitting on a shelf and requires human intervention to insert into a tape library).
Completely agree - I totally forgot to write about tapes, which are *a must have*.

Diary Archives