Comments on: Attacker reportedly holds Virginia patient data hostage

Virginia Prescription Monitoring Program site remains down after attacker allegedly breaks into the Web site and deletes data, demanding a ransom to get it back.

[SergeM256]

Back-ups gone missing - how is this possible? Every system is supposed to have daily backups on tapes and weekly backups stored off-site, usually tapes sent by UPS/FedEx to some remote storage facility.

[SIGHUP]

Are you joking about sending backup tapes using FedEX or UPS?

[Hunnter2k3]

Agreed.
If you have backups connected to the internet, you deserve to lose data.

[SergeM256]

No. You may remember a couple of years ago it was in a news that FedEx truck had and accident, its cargo was lost or damaged and tape with credit card data was lost. I don't remember what bank it was (I think it was BA). Apparently, it was backup tape shipped for off-site storage. Weekly backups are stored off-site in case if, for instance, fire destroys building where server is located or earthquake or flooding destroys whole city.

[SIGHUP]

@SergeM256

I am sure who ever sent those tapes via UPS or FedEx probably lost their job or at least should have. I would probably get fired at my company if I even mentioned sending tape backups via UPS or FedEx (Which are encrypted and in a locked pelican case).

[ferretboy88]

When they find this guy he should be hung by the neck until dead.

[imacpwr]

And they should string up the system administrator in charge of backing up all data as well...!!

[ZetaZeta_]

Why do white collar crimes deserve death? -__-

[kev7773]

Depending on their setup, it is very possible that they run their offsite backups via WAN to an offsite DASD, eliminating the need for tape as well as the risk that tape imposes. This would make sense for the number of records and transactions that they would house.

However, to have it that exposed that you could wipe out the backups through a website is completely ridiculous. Whomever their network security person is is going to have a lot of questions to answer.

[Bill_46]

I predict the highest cost of this event will be imposed upon legitimate users of Virginia's computer systems in the form of even more onerous, time wasting, mission interfering (yet, still ineffective) computer system security procedures.

[alegr]

Another SQL injection hole... The developers should be fired...

[Dr_Zinj]

Kind of casts a CLOUD over an internet backup service, doesn't it?

[Mergatroid Mania]

We backup our data ourselves, and store it off line.

This way we have no one to blame but ourselves if something goes wrong, and since nothing can go wrong using this method there will never be anyone to blame.

Although I agree with the person who said "hang him from the neck until dead", I would go with the simpler option of a $0.50 bullet to the back of the head.

I'm growing so tired of the internet being a mine field of ripoffs and scams, maybe a few dead hackers would make them think twice.

And for all the bleeding hearts, sure just offer, I'll be glad to pull the trigger myself.

[paulej]

@Mergatroid Mania, I have to disagree with you. The hackers might be counted as evil, why what I personally consider even worse is the fact that the system was even accessible by the outside. If one has very valuable data that one does not want to have exposed, then do not connect it to the Internet. And, if it is data that you must connect to the Internet, then you should design the system in such a way that one does not have direct access to the whole database. The more I hear these kinds of reports, the more I shake my head in disbelief that people would be so careless with data.

[y3kcompliant]

Pretty sure the company managing the project in Virginia is Optimum Technology (www.otech.com).

[n3td3v]

Inside job to attract the attention of Obama and get media reportage on cyber security.