HITRUST Hack Leads Breach RoundupSecurity Group's Test Server Compromised
In this week's breach roundup, a hacker attack on a web server of the Health Information Trust Alliance exposed a test database. Also, a hacker pleaded guilty for his role in the breach of a global intelligence firm that provides services to the federal government.
HITRUST Web Server Hacked
A hacker attack on a web server of the Health Information Trust Alliance demonstrates that any organization - including one with a cybersecurity mission - can become a breach victim.
In a statement, HITRUST disclosed that a non-critical, stand-alone public web server was compromised by an SQL injection, resulting in some test data being leaked. The server housed a database that included 111 records, including some real names, companies, addresses, phone numbers and e-mail addresses, as well as six encrypted passwords. No protected health information was involved, HITRUST said.
HITRUST is a collaborative group of healthcare, business, technology and information security leaders that developed the Common Security Framework, which is used by organizations that create, access, store or exchange personal health and financial information.
"The database in question was a test database that was populated with information from rosters previously made public from planning meetings held during 2008, in addition to some fictitious data created by our developers," HITRUST stated. "This data was used to test a forms handling feature on the site. No usernames or user passwords were included in the database other than those required to administer the database itself."
The attack was reportedly committed by Anonymous hackers in the TeamBerserk group, based on claims the group made on Twitter, a HITRUST spokeswoman says.
In light of the incident, HITRUST has updated its security policies for non-critical, non-sensitive web servers and its test environments. The organization said it "will secure our test environments and public general information websites to a higher assurance level. The server in question has been addressed and test information deleted. None of our other servers or data centers were involved in this event."
HITRUST has notified all those whose contact information was exposed.
Dan Nutkis, HITRUST's CEO, told Information Security Media Group that hackers had earlier made unsuccessful attempts at compromising the low-risk server, hoping it would serve as an entry to other systems, which are much more highly protected. The breached server had minimal protection because of the data it contained, he said.
"We're surprised people are so concerned about the event; there were no high value assets [on the server]," Nutkis said. But the lesson learned, he added, is that public perceptions about cybersecurity are important. "Costs are indirect ... irony, reputation, distraction all are factors." As a result, he said, "We will increase our protection, not due to risk but appearance."
Stratfor Hacker Pleads Guilty
Hacker Jeremy Hammond has pleaded guilty for his role in the 2011 Strategic Forecasting Inc. breach that affected about 860,000 individuals (see: LulzSec Leader Strikes Deal with Feds). Stratfor is a global intelligence firm, based in Austin, Texas, that provides services to the federal government.
In his guilty plea, Hammond also admitted involvement in multiple additional hacks, including computer intrusions into the Federal Bureau of Investigation's Virtual Academy, the Arizona Department of Public Safety, the Boston Police Patrolmen's Association and the Jefferson County, Alabama Sheriff's Office, according to a release from the U.S. Attorney's Office for the Southern District of New York.
Hammond pleaded guilty to one count of conspiracy to engage in computer hacking and faces a maximum of 10 years in prison. He has also agreed to pay up to $2.5 million in restitution. He's scheduled to be sentenced on Sept. 6.
In December 2011, Hammond, who went by the hacker alias "Anarchaos," along with other members of the hacktivist group AntiSec, an off-shoot of Anonymous, hacked into Stratfor's computer systems, authorities said.
Hammond, along with AntiSec members, stole e-mails and account information for about 860,000 Stratfor subscribers or clients, authorities said. That included credit card information for about 60,000 individuals that was used to make more than $700,000 in unauthorized charges.
Surgery Patients' Info Posted to Website
Sonoma Valley Hospital in Sonoma, California is notifying 1,350 surgery patients that information about them was mistakenly posted to the organization's website.
On Feb. 14, an employee accidentally uploaded personal information on the patients to the hospital's website, according to local news outlet Sonoma Valley Sun. The information was placed on a section of the website that was not accessible only through a search engine, according to the report.
Affected individuals include those who underwent surgery from July 1, 2011 to June 30, 2012, the news report said. Exposed information includes patient name, date of service, procedure, surgeon, hospital charges and name of insurance company.
The hospital did not respond to a request for comment.
Paper Medical Records Missing
Jackson Health System in Florida is notifying 1,400 patients about the loss of several boxes of paper medical records.
The records are missing from the Jackson Health System Health Information Management department, according to a statement from the system, which owns six hospitals and numerous other facilities.
Compromised information includes personally identifiable data on medical diagnoses, surgical procedures and other healthcare data protected from public disclosure under federal privacy laws, according to a health system spokesperson.Jackson Health System stresses that Social Security numbers, credit card numbers and financial statements were not involved. Nevertheless, the healthcare system is providing impacted individuals with free credit monitoring services for one year.
Airport Website Hit by Hacker Group
The Akron-Canton Airport is reporting a breach of its website by a hacker group.
The attack occurred on May 25, according to a statement on the airport's website.
Information that was obtained by the hackers included entries to contests on the airport's website, the statement said. Those include names, e-mails, cities and phone numbers.
It's unclear how many individuals were affected. The airport is recommending those who signed up for an airport contest in the past two years to change their e-mail passwords as a precaution.