Though unnamed in a breach notification and follow-up reports, a professor of ethical hacking at City College San Francisco (CCSF), Sam Bowne, has come forward on the internet to clarify that he did not demonstrate hacking a medical center's server in a class, but rather came across sensitive information during a Google search.
In a Thursday post, Bowne said he performed the search and connected to an open FTP server full of medical information that ended up being from E.A. Conway Medical Center, a part of the University Health System. He explained that he was not teaching a class at the time and did not demonstrate it to anyone, as was indicated in a SCMagazine.com Data Breach Blog post and other published reports.
In a legal notice made available online, University Health wrote that the information found on the open server – guarantor names, account numbers, payment amounts and “incorrect addresses” for 6,073 individuals – dated back to 2012 when the server was under Louisiana State University Health Sciences Center's control.
Bowne said he did not show the information to anyone but rather sent emails to "several addresses at the institution responsible for the server, lsuhsc.edu,” notifying them of his findings. In a pasted copy of his email, dated June 17, Bowne explains that the FTP server had been compromised and files were added, but also that dozens of files containing what he said appeared to be names and addresses were posted publicly for at least a year – and were “copied to other servers by FTP search engines.”
Bowne said he never received a reply regarding the incident, but since the server was no longer accessible within a few hours, he considered the notification a success. In its Aug. 15 legal notice disclosing the breach, University Health stated, “On June 17th, a Computer Science Professor from City College, San Francisco, CA, demonstrating potential vulnerabilities of computer system[s] to his class made it known to University Health that he successfully accessed a server housed at E.A. Conway Medical Center, affecting 6,073 individuals.”
Andrew Conkovich, chief compliance officer at University Health, told SCMagazine.com on Friday that the line, “demonstrating potential vulnerabilities of computer system[s] to his class,” was included because Bowne posted his findings – including the email he sent and images with redacted information – to the website he uses for his classes shortly after the FTP site was gone, as well as posted about it on Twitter.
The News-Star reported the breach on Aug. 19 in a story that appears to have been taken predominately from the legal notice, but also sources Jeff Cowart, a consultant with University Health. Sourcing that report, SCMagazine.com initially published its blog post on Aug. 20 – incorrectly interpreting the reference to the unidentified professor's actions as him exploiting bugs in a server in front of his class – without following up with CCSF or University Health for clarification.
At press time, Sam Bowne had not responded to a Thursday email and Friday phone call from SCMagazine.com for comment.