Security researchers recently found a server being used to harvest private information consisting of stolen data from 40 international businesses, as well as health-related information on patients worldwide.
What's more, the stolen data contained no access restrictions or encryption, leaving it unprotected and available to anyone on the web
“The fact that the information was wide open indicates that whoever was behind this had no security background and was not a sophisticated hacker,” Yuval Ben-Itzhak, chief technology officer of security firm Finjan, which made the discovery, told SCMagazineUS on Tuesday. “He was probably using a malware toolkit he purchased.”
According to a report from Finjan, the server was located in Malaysia but contained data from all around the world, including North America, Europe and Asia. The server was up only three weeks, but was able to collect 1.4 GB of data. The compromised data was detected using active real-time code inspection technology while diagnosing a user's web traffic.
The Finjan report, available here, contains examples of compromised data such as bank customer data, email communications and patient data.
Ben-Itzhak told SCMagazineUS.com that the server was shut down two days after the find was reported. However, the criminal behind it has not been found. The server contained 5,388 unique log files traced back to 5,878 distinct IP addresses.
Alarming too was that some of the data was health related. The exposure of the data, which must be protected under Health Insurance Portability and Accountability Act guidelines, to criminal elements compromises not only the patient, but also the medical institution/health care provider involved, as well as employees of the institution, Ben-Itzhak said.
The FTC Health Breach Notification Rule was enacted 10 years ago to protect the privacy and security of consumer health data not covered by HIPAA, but it was never enforced. A policy decision enacted on Sept. 15 will change that.