In a brief blog post Chris Vickery at MacKeeper Security Watch has identified an 11 gigabyte data breach affecting US Special Ops. According to Vickery the data: “contained the names, locations, Social Security Numbers, salaries, and assigned units for scores of psychologists, and other healthcare professionals, deployed within the US Military’s Special Operations Command (SOCOM).” Compounding the breach was the fact that the data was not even protected by a username or password.
The data was leaked by Potomac Healthcare Solutions. They are subcontractors to Booz Allen Hamilton who use them to provide healthcare workers to the US government. This is not the first time Booz Allen Hamilton has had problems with data breaches. It employed Edward Snowden and last year another employee was found stealing classified information.
A classic case of incompetence
This breach is different. It is not about stolen data but what appears to be, from Vickery’s post, a classic case of incompetence. Vickery says the data was exposed by: “an unprotected remote synchronization (rsync) service active at an IP address tied to Potomac.” This appears to be a fairly basic security failure. There are some serious questions for Booz Allen Hamilton. Did they ever validate the security of their subcontractor? If not, why not? If they did, why was this not spotted? What processes were in place to monitor security of systems?
These are also questions need to be answered by Potomac. However, there are more serious issues here than just a security failure. Vickery has documented the problems with getting anyone at Potomac to take this issue seriously. Despite contacting them and sending email proof of the breach Vickery says: “Much to my surprise, the unprotected file repository was still up and available an hour later. It shouldn’t take over an hour to contact your IT guy and kill an rsync daemon.” Vickery eventually managed to find a member of senior management who did act and the data was taken down.
A process failure or no process at all?
The big question for Potomac is why it ignored an alert from a reputable security researcher? It is easy to say this is a breach of security processes. However, few companies actually have a process to deal with alerts from security researchers. Ask IT security teams to name security researchers and they would probably struggle to name ten active individuals. They are also unlikely to have contact with any of them on a regular basis. Even if they did know the researcher they would still want to validate any alleged report before acting.
Could this have been handled faster? Again it is easy to say yes. But would a CEO know who to escalate such a call to? If they passed it to their CISO or CIO would they know how to check for an unsecured rsync? It’s highly unlikely. They would need to find the right person in the company before anything happens.
Even if the alert was passed to the Booz Allen Hamilton Security Operations Centre it is questionable what they could do. It is unlikely that they would have direct access or control over a subcontractors IT systems. This means that they could not block the rsync link or reset it.
Conclusion
This all seems like a classic case of incompetence compounded by a lack of an incident response plan. The delays in acting on the data means that it could easily have been stolen even after the breach was known about. However there is a wider lesson here. Data breaches are on the rise. Companies need to ensure that they have a valid and tested process that can respond to alerts from security researchers. This means being able to escalate a call to the right person no matter the time of day.
It will be interesting to see what Potomac says about all of this once it has investigated the incident. At the moment it is maintaining press silence and not responding to emails. This is not the only US Department of Defense contract that Potomac has. In light of this attack it will want to prove that this was a one-off incident that cannot happen again.
UPDATE
Potomac Healthcare Solutions have issued an update on the completion of their investigation into this breach