Virginia Prescription Monitoring Program compromised - 8 million records held for ransom.

07 May 2009

Yesterday morning, word got out through the Internet Storm Center that the web server of the Virginia Prescription Monitoring Program was compromised by an unknown attacker. The VPMP is tasked with recording all of the pharmaceutical prescriptions filled in the state of Virginia for the purpose of data mining to determine who may or may not be abusing prescription drugs, and probably who may or may not be selling their prescriptions on the street. Given that Virginia enacted some annoying laws a couple of years ago that require a photo ID to get hold of Sudafed and placed limits on how much Sudafed that you could buy in a month's time (nevermind that the meth labs just stole entire shipping crates of Sudafed out of trucks), this database probably also contains the driver's license ID numbers of everyone who's ever picked up a prescription or had an allergy attack for the past couple of years. The cracker replaced the frontpage with a ransom demand stating that he/she/they had downloaded the records of 8.2 million consumers (including the drugs prescribed (which is enough information to potentially embarass a lot of people), names, addresses, and Social Security Numbers), made an encrypted backup of the data, and deleted the original database and all its backups from their production network. The cracker is asking for $10mus to not sell the user data on the black market and turn over the key to decrypt the data.

The ransom note was put up on 30 April 2009. The deadline to pay the ransom was supposed to be a week later: Today.

What really pisses me off is that they tried to keep this quiet - it wasn't the news media that broke this story, it was Wikileaks publishing the ransom note that had been removed from the Prescription Monitoring Program's website when it was taken offline. Someone working that clusterfuck leaked it when they weren't supposed to around 3 May 2009. It was only yesterday that the news media caught wind of it, probably after it hit the ISC. The FBI and Virginia state police have been called in but it's anyone's guess as to whether or not they've got the tech chops to figure out what actually happened. Laura Southard of the Virginia Department of Health says that the VPMP website is now secure - of course it is, it's been taken offline though it says something, I think, that if you do a Google search on this project the third result returned is the login page for their website (which is also inaccessible). The first thing the VPMP dropped the ball on was backing up their data. Backups are often the first thing not done right by a lot of shops (even before patching) because they're supposed to be worked out in detail during the planning phase of a major project, before anyone starts shelling out money to buy hardware and software. You never, ever keep your backups anywhere that other people can get to them. Ideally, backups are pull-only: the backup server contacts an agent on the client and starts sucking down data to store offline. The client has no way of sending commands to the backup server, which would prevent... oh, I don't know... an attacker from sending a couple of commands that cause the backup media to be purged, or to turn off the backup functionality entirely. Second, a lot of shops decide to not spend the money on backup software, tape drives, and a supply of tapes because they're expensive. I won't kid you about that, but investing in the gear to make reliable backups of your data costs a lot less than the ransom demand that the VPMP is dealing with. While you can make backups to removable hard drives or optical disks you can really only get away with that if you have a network not much bigger than a home office because these methods don't scale terribly well. Third, when They say that you should be reading through your logs every day to make sure that everything's running as expected or at least running them through some analysis software, They're not kidding. I have a sneaking suspicion that if they go through the server logs for the compromised systems they'll find some very interesting things.

I don't think I need to point out the fact that their infosec teams weren't doing a few things right because the very fact that this incident happened makes the point intuitively obvious (as one of my old professors would say). However, I feel that I should point out that this could have been done by an insider, which means that a lot of safeguards for external attacks could have been bypassed. There are entirely different safeguards and countermeasures for insider threats, however, and it's possible that those just didn't work. Then again, if someone on your infosec team goes rogue you're pretty much screwed no matter what.

I also feel that I should point out that the Health Insurance Portability and Accountability Act expressly states that PHI (Protected Health Information) should be protected from and monitored for unauthorized access or modification, which brings me right along to my next question: why in the hell are they using Social Security Numbers in their records? When you pick up a scrip in Virginia you have to show photo ID of some kind, and the "customer number" of that photo ID ([A-Z][0-9]{2}-[0-9]{2}-[0-9]{4} for drivers' licenses) is written down by the pharmacist along with your name, phone number, address, and a couple of other things that I couldn't see because they noticed I was taking an unusual interest in that page of the big white binder at CVS. Those ID numbers are supposed to be unique identifiers in their own right, and should be more than sufficient for indexing patient records in that database. I realize that I'm being hopelessly naive here, but one would think that after years of data breaches, the powers that be would get a clue and stop putting information useful for identity theft anywhere near the public Net.

One of these days I'll get around to posting my rant about "compliance is not security."