Sunday, May 10, 2009

Health Records Stolen And Held For Ransom

I came across an article about the Virginia Prescription Monitoring Program database being hacked and being held for a $10 Million (U.S.) ransom.
Supposedly the hacker(s) also deleted the database backups.

See the story here;
Virginia PMP Hacked

The above link also has a link to Wikileaks that has a copy of the ransom note left on the PMP site.

A new story has now emerged from the agency in charge of the PMP website and database denies the claim that the database backup has been destroyed.

Agency Denies Claim Database Was Destroyed

As I was researching this story I came across another story that deals with a break in to the Berkeley University database that stores the student's health records.

Berkeley Student Health Records Compromised

This attack happened over a 6 month period before the administrators realized what was happening! A 1/2 year of not knowing your server has been breached? That sounds like a huge case of incompetence!

Now I have to ask myself a question as should you.
Where the heck is the security?
And what are they doing? Sleeping?

Then you have that nonchalant attitude like the one found in the Agency Denies Claim Database Was Destroyed link;

"acknowledged a data breach of it may have occurred but refuted the notion the database had been wiped out by the unknown attacker."

A data breach may have occured?
Geez! The FBI is involved. I'd say that it did occur. And I'm willing to lay odds that the database backup was destroyed. Makes you wonder whey a backup was so conveniently accessible from the main server. Bet they stored it on the same hard drive!

And what about all that patient info that is supposed to remain confidential?
Who is going to pay for the damages to these people's credit ratings once the perpetrator decides to sell all that info?
What about all those Social Security numbers that can now be used for identity theft and fraud?
Who's going to foot that bill to protect the patients?
Patients that had absolutely no say in how their personal info was used or how it was stored and safeguarded.

I'm willing to bet that due to budget cuts either most of the IT staff was laid off or the whole operation was sub-contracted to the lowest bidder.
Some bean counter decided that the best way to increase the bottom line or cut the budget would be easily achieved by cutting or subbing out the security staff that was hired to protect our confidential data.

This scenario has been repeated over and over. Increasing the bottom line takes precedence over security and IT departments.
I have also encountered people who have graduated with a degree in computers that don't know squat about network security. But they sure now how to set up a network connection using dhcp or email accounts!

Sorry if I may have offended some System Admins out there but when a graduate from a school that has a MCSA comes up to me asking about how a firewall works or if I can format a hard drive for him, I have to wonder just what the hell they are teaching at that school and how the students are passing those MCSA tests!

Maybe it's time that our schools and institutions start teaching ethical hacking courses so that they can start protecting our networks better.
And let's keep the bean counters in check and prevent them from raiding out IT staff.
Make companies and government accountable.
Huge fines and penalties for any company or government entity that allows our data to be compromised. And the monies from the fines go to the people who's info was stolen!

Oh! And I must make mention that the Virginia PMP was running on Windows Server 2003. Berkeley uses several OS's including Open BSD, Solaris, Fedora, Red Hat, Debian and Windows Server 2003. I'm gonna go out on a limb and say that the student's health records were stored on a Windows 2003 server also.
Windows: Safe, Secure, Fast. NOT!

I won't even get into the hacking of the power grid.
I may end offending even more people and then have the G-Men knocking on my door.


No comments: