Special Ops Healthcare Worker BreachBack to blog
A recent data breach discovery of mine contained the names, locations, Social Security Numbers, salaries, and assigned units for scores of psychologists, and other healthcare professionals, deployed within the US Military’s Special Operations Command (SOCOM). Not a single username or password was guarding this intel, which weighed in at over 11 gigs.
Potomac Healthcare Solutions provides healthcare workers to the US Government through Booz Allen Hamilton (you know, Snowden’s old employer). It is not presently known why an unprotected remote synchronization (rsync) service was active at an IP address tied to Potomac. I do know that when I called one of the company’s CEOs this past Thursday to report the exposure, he did not seem to take me seriously.
At the end of our short conversation he asked me to send an email. So, I did. After we hung up, I sent an email to Potomac’s two co-CEOs detailing the breach and included their Social Security Numbers, home addresses, dates of birth, and phone numbers. Here’s the intro:
Hello again Mr. Joseph,
You and I just spoke over the phone a couple of minutes ago. I described to you a recent publicly-accessible collection of data I have discovered that appears to be internal Potomac Healthcare files. You requested that I send over an email. I have also put Mr. Burden as a recipient and attached a file that should demonstrate that this is not a hoax.
I am, primarily, concerned for national safety's sake as there are things like names, email addresses, phone numbers, and Social Security Numbers for people that appear to work both directly at your facilities and at US military installations.
I figured that would do the trick. Much to my surprise, the unprotected file repository was still up and available an hour later. It shouldn’t take over an hour to contact your IT guy and kill an rsync daemon.
That last point is especially true when your publicly exposed files contain, in addition to healthcare workers, the names and locations of at least two Special Forces data analysts with Top Secret government clearance.
I decided to, basically, call Potomac’s boss. I’ve made a few contacts at various government agencies, some more helpful than others, most not wanting their names or departments to be mentioned… ever. So, I went through my email archives and found the appropriate phone number.
Potomac’s files went offline about 30 minutes later. I may never know for sure if that second phone call had anything to do with the documents finally being secured, but I’d like to think it might have helped.
It’s not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information. Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it. Loose backups sink ships.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org