Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Health database breached - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Health database breached

The wikileaks.org web site, which is a pretty famous repository of "leaked" documents that were never supposed to see light, is reporting about a supposedly large security breach of the Virginia Prescription Monitoring Program (VPMP). According to the web site and other sources around the web, the web site was defaced by an unknown hacker that left a ransom note asking for 10 million US$ in order to return the data.

According to the hacker, he acquired records on more than 8 million patients. The records include prescription data as well as patient's name, age, address, SSN and drivers license number.

Now, while this all has not been verified, there are couple of things we can already see. First of all, the hacker definitely managed to compromise the web site because the front end web page was modified. According to the message left by the hacker, he also deleted the backups (now, this raises some eyebrows, doesn't it?).

If this all is correct, it indicates that several protection layers failed at the VPMP. Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to backup the data or read it – only the backup administrator should be able to delete the backups.

We'll see how things will develop here and update the diary if we get more information.
 

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler
Not to mention that any backup that is accessible electronically is not an "end-of-the-world" backup. There should always be off-site backups, and there should always be air-gapped backups (i.e. a backup tape that is sitting on a shelf and requires human intervention to insert into a tape library).
Anonymous
Completely agree - I totally forgot to write about tapes, which are *a must have*.
Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!