A hacker has stolen data from a medical centre in the United Arab Emirates. The Al-Zahra Private Medical Centre was apparently hacked last month by an individual known on Twitter as @websiteshunter.
The data was analysed by databreaches.net and apparently contains several pieces of personally identifiable information. The tranche included spreadsheets that contained the information on potential employees and visitors with notes about the medical conditions they came to the centre with. The two spreadsheets totalled over 5000 entries.
Databreaches.net attempted to contact the medical centre to alert them of the breach, but as of writing have not heard back from the centre.
@websiteshunter announced his ‘achievement' on 31 August over Twitter
@websiteshunter seems to be making the rounds in the Gulf states, claiming to have pulled off several hacks on institutions around the region and the world. Other claimed belt notches include an escort agency in Moscow, a Kuwaiti vehicle importer, a restaurant in Hong Kong along with a bounty of others around the UAE.
“This recent hack demonstrates that you should never be complacent with your security controls,” Neil Haskins general manager, Middle East for IOActive told SCMagazineUK.com. “In many cases, just a few small changes to your IT environment could prevent such a breach occurring. Based on our understanding of this breach, there were poor IT admin passwords, patient information was in clear text and the web site had several key vulnerabilities.”
The miscreant makes his intentions known on the profile section of his twitter account - “#hacked account by websites hunter to publish his arts. I #hack to make unqualified #IT pay the price of being ignorant .. unqualified IT expect me…”
The veneer of some kind of broader social conscience is not an uncommon thing within hacking. Hacking collective, OurMine, who most recently hijacked the content management system of Variety magazine, has made a name for itself by taking over the accounts of major Silicon valley figures including Uber CEO Travis Kalanick and Twitter founder Jack Dorsey.
Consistently, the group claims it is out to correct poor security by highlighting poor examples among figures who really should know better. Their high-profile account hijacks often come with a link to their website, where they offer a variety of security services to those impressed with these stunts.
This, Jovi Umawing, malware intelligence analyst at Malwarebytes, told SC, “is a well worn theme. Regardless of how noble these actors claim their intentions to be, such an act is generally frowned upon as it does more harm than good, especially if the attack also involves the compromise of personal information.”
“I think of it this way. It's as though I arrive home one day to find some of my personal things on the pavement and a note pasted to the front door telling me that my home security is weak and that the author broke into my house to highlight the weak security features and to make the lock manufacturer pay. I certainly wouldn't see it as a salutary lesson in security and be grateful to the person who did it”, David Emm, principal security researcher, Kaspersky Lab told SC.
“Clearly, it's not ‘unqualified #IT' that will ‘pay', but those whose personal data has been compromised.”
However, this ‘unwanted pen testing' shouldn't disqualify its legitimate application, added Emm: “There's undoubtedly a place for penetration testing. Indeed, I would say that it's vital that companies put themselves in the place of a would-be attacker in order to identify weaknesses in their defences. However, such actions are legitimate only when carried out by authorised staff or third parties.”