Last month security researcher Jeremiah Fowler found an unprotected database that contained private information on hundreds of thousands of U.S. veterans. He also discovered evidence that hackers may have stolen that same data during a cyberattack.
The database, Fowler discovered, belonged to North Carolina-based United Valor Solutions. On its website, United Valor states that it “provides disability evaluation services for the Veterans Administration and other federal and state agencies.”
All told the exposed database included private information and financial records on some 189,460 U.S. veterans. The bad news doesn’t stop there, however.
The database also contained passwords that Fowler believed were linked to internal accounts at United Valor. Those passwords were stored in plain text rather than being strongly encrypted, which could put victims at risk of account takeover. Whenever criminal hackers get a look at the email addresses and password pairs they’ll file them away for later account hijacking attempts.
Fowler also reports that the database was configured in such a way that anyone who accessed it could alter or delete records. That’s incredibly risky with any dataset, but even more so where stolen medical data is involved.
Last, but certainly not least, is the ransom note Fowler found buried within the data. An attacker had threatened to release United Valor’s data if 0.15 Bitcoin — about $8,400 at the current exchange rate — was not paid within 48 hours.
If that seems like an oddly small ransom, remember that this data was already ‘leaked’ because the database itself hadn’t been properly secured. It’s possible that the attacker didn’t actually infect any systems but rather inserted the note into the database.
Responsible Disclosure, Rapid Response
When he discovered the database on April 18, Fowler immediately notified United Valor. To its credit the company responded the very next day, saying that its contractors had been contacted and the database had been secured.
United Valor’s contractor reported that the data had only been accessed from internal IP addresses and Fowler’s. That makes the presence of the ransom note even more curious since its existence would seem contradictory to that report.
Given that there were other configuration errors with the database, it could be possible that detailed logs were not being generated. Without solid log information, it can be difficult to ascertain who accessed a database like this and when or how they did it.
Not About Naming And Shaming
Fowler makes it very clear that he “is implying any wrongdoing by United Valor Solutions or their partners, contractors, or affiliates.” His goal is to raise awareness and educate… and perhaps most importantly to protect those whose personal data was exposed.”
Article Provided By: Forbes
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at firstname.lastname@example.org.