A Third Party that Wishes it were Hacked

Massachusetts General Hospital (MGH) announced this week that some of its patient data was compromised at one of its third parties, Patterson Dental, a company that provides software that helps manage dental practice information. According to MGH’s version of events:

“On Feb. 8, MGH learned that an unauthorized individual gained access to electronic files stored on the system {Patterson Dental’ system, that is} and later confirmed the files contained some MGH dental practice information.”[1]

“Unauthorized individual.” Sounds intriguing. How did the “unauthorized individual” gain access? Must have been a brilliant hacking scheme, obscure web server vulnerability, SQL injection, cross-site scripting attack, or an international organized crime ring with a team of brilliant minds operating around the clock in a smoke-filled basement beneath an otherwise nondescript storefront.

Or maybe a busy employee of Patterson Dental just accidentally copied the wrong file to the wrong server…in 2009.

It turns out that the “hack” of the FTP server was perpetrated by Justin Shafer, a dental computer technician and software security researcher who runs a security blog site in his spare time (http://justinshafer.blogspot.com/). While researching suspected vulnerabilities in in a dental practice management software package, Justin stumbled upon an anonymous FTP server operated by Patterson Dental (the company that makes the dental software Justin was researching). Anonymous FTP servers are designed to distribute large, non-sensitive files (e.g. product documentation) to the public, and they’re accessible by just about anyone… by design.

Having discovered and downloaded sensitive patient data from the FTP site undetected, he notified DataBreaches.net to:

“request help with the notification and responsible disclosure. Both DataBreaches.net and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time.”[2]

We should all be so lucky as to be “hacked” by Justin Shafer.

So Mass General had two options:

• The Truth – they entrusted sensitive patient data to a third party that (presumably) accidentally copied it to a pubic server, or:

• A Creative – borderline fantastical – Embellishment – one of their third parties was “hacked” by an “unauthorized individual”

Which do you think the PR and Legal folks went with?

We don’t know how the sensitive file ended up on the anonymous FTP server in 2009, but there’s a pretty good chance an employee in a hurry put it there so a trusted colleague could download it easily, avoiding the cumbersome process of using a secure server, obtaining credentials, etc. A short cut. I’m sure whoever copied the files meant to delete them, but then life happened…

This case is anything but a hacking, and both the 1^st and 3^rd parties are hiding behind the word, as, ironically, what actually happened is more embarrassing than an actual hack… it’s more honorable to be injured in a mugging than falling down after drinking too much.

The episode, however, is illustrative, as it underscores the reality that even brilliant hackers depend on employee carelessness or flat out stupidity to successfully prosecute the most effective attacks.

Fortunately for hackers, there’s no shortage of either.

Post Script

If you have a few minutes, I encourage readers to take a look at the full article in the second footnote: http://www.dailydot.com/layer8/justin-shafer-fbi-raid/

Spoiler alert: the FBI raided Justin Shafer’s house in response to his actions as a suspected “cyber-criminal.” Apparently, no good deed really does go unpunished.

[1] http://whdh.com/news/local/mass-general-hospital-announces-data-breach/

[2] http://www.dailydot.com/layer8/justin-shafer-fbi-raid/