Attacker reportedly holds Virginia patient data hostage

An attacker tried to extort $10 million after breaking into a Virginia state Web site used to track prescription drug abuse and allegedly holding the data hostage, according to a posting on the Wikileaks Web site.

The ransom message on the Virginia Prescription Monitoring Program site read:

"I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."

The site, which was broken into late last week, was not accessible late on Monday.

Sandra Whitley Ryals, director of Virginia's Department of Health Professions, told The Washington Post that a criminal investigation is under way by federal and state authorities. An FBI spokesman declined to comment.

[SergeM256]

Back-ups gone missing - how is this possible? Every system is supposed to have daily backups on tapes and weekly backups stored off-site, usually tapes sent by UPS/FedEx to some remote storage facility.

[SIGHUP]

Are you joking about sending backup tapes using FedEX or UPS?

[Hunnter2k3]

Agreed.
If you have backups connected to the internet, you deserve to lose data.

[SergeM256]

No. You may remember a couple of years ago it was in a news that FedEx truck had and accident, its cargo was lost or damaged and tape with credit card data was lost. I don't remember what bank it was (I think it was BA). Apparently, it was backup tape shipped for off-site storage. Weekly backups are stored off-site in case if, for instance, fire destroys building where server is located or earthquake or flooding destroys whole city.

[SIGHUP]

@SergeM256

I am sure who ever sent those tapes via UPS or FedEx probably lost their job or at least should have. I would probably get fired at my company if I even mentioned sending tape backups via UPS or FedEx (Which are encrypted and in a locked pelican case).

[ferretboy88]

When they find this guy he should be hung by the neck until dead.

[imacpwr]

And they should string up the system administrator in charge of backing up all data as well...!!

[ZetaZeta_]

Why do white collar crimes deserve death? -__-

[kev7773]

Depending on their setup, it is very possible that they run their offsite backups via WAN to an offsite DASD, eliminating the need for tape as well as the risk that tape imposes. This would make sense for the number of records and transactions that they would house.

However, to have it that exposed that you could wipe out the backups through a website is completely ridiculous. Whomever their network security person is is going to have a lot of questions to answer.

[Bill_46]

I predict the highest cost of this event will be imposed upon legitimate users of Virginia's computer systems in the form of even more onerous, time wasting, mission interfering (yet, still ineffective) computer system security procedures.

[alegr]

Another SQL injection hole... The developers should be fired...

[Dr_Zinj]

Kind of casts a CLOUD over an internet backup service, doesn't it?

[Mergatroid Mania]

We backup our data ourselves, and store it off line.

This way we have no one to blame but ourselves if something goes wrong, and since nothing can go wrong using this method there will never be anyone to blame.

Although I agree with the person who said "hang him from the neck until dead", I would go with the simpler option of a $0.50 bullet to the back of the head.

I'm growing so tired of the internet being a mine field of ripoffs and scams, maybe a few dead hackers would make them think twice.

And for all the bleeding hearts, sure just offer, I'll be glad to pull the trigger myself.

[paulej]

@Mergatroid Mania, I have to disagree with you. The hackers might be counted as evil, why what I personally consider even worse is the fact that the system was even accessible by the outside. If one has very valuable data that one does not want to have exposed, then do not connect it to the Internet. And, if it is data that you must connect to the Internet, then you should design the system in such a way that one does not have direct access to the whole database. The more I hear these kinds of reports, the more I shake my head in disbelief that people would be so careless with data.

[y3kcompliant]

Pretty sure the company managing the project in Virginia is Optimum Technology (www.otech.com).

[n3td3v]

Inside job to attract the attention of Obama and get media reportage on cyber security.