Unsecured Database Exposed on Web - Then DeletedResearcher Says Data on 3.1 Million Patients Exposed. Did 'Meow Bot' Fix the Problem?
While the exposure of insecure databases on the internet is relatively common, a recent incident featured an unusual twist - the data was mysteriously deleted.
In a blog Tuesday, independent security researcher Volodymyr "Bob" Diachenko writes of his discovery on July 13 of an unprotected database with information on 3.1 million patients that was exposed to the internet. The database appears to be owned by Adit, a Houston-based online medical appointment and patient management software company.
In an unusual development, on July 22, the database appears to have been deleted by a so-called "meow bot," the researcher says. "Unlike other malicious bots that find and delete exposed data, a meow bot doesn't ask for a ransom, which has led some to believe the bot is actually benevolent and aims to protect data subjects' information," he writes.
The unsecured Adit database included patient names, email addresses, phone numbers and the practices where patients receive treatment, Diachenko says. It was exposed on the web without a password or any other authentication required to access it, he says.
[NEW REPORT] 3.1 million patients' details exposed by a medical software company, ES cluster was 'meow-ed' and all data destroyed: https://t.co/TTKnSBNcmZ— Bob Diachenko (@MayhemDayOne) August 11, 2020
The researcher says he notified Adit of the data exposure July 13, but received no response. Adit did not immediately respond to Information Security Media Group's request for comment.
Diachenko says that on July 12, the unsecured database was indexed by search engine BinaryEdge. But on July 22 - after being exposed on the web for 10 days - "all indexes of the database were destroyed by the meow bot," he writes in his blog.
"I do not know at this time whether any other unauthorized parties accessed the data. But given that unsecured databases can be attacked within hours of being exposed, in our opinion it would seem likely."
The meow bot has attacked hundreds of unprotected databases in recent weeks, Diachenko writes.
Because the meow bot deletes sensitive data - potentially protecting individuals from harm - and does not demand a ransom from the organization that leaked the data, Diachenko writes that it could be considered more "benevolent" than malicious.
But some other security experts offer a different point of view.
"While 'benevolent bots' are often built and deployed by companies to perform certain functions ... benevolent bots in the wild would be risky at best," says former healthcare CIO David Finn, an executive vice president at the security and privacy consultancy CynergisTek. "I am not aware of any white hats out there trying to clean up the internet with an army of bots or botnets."
A bot could certainly be used for good - such as to destroy stale data - in a defined environment with clearly defined rules, Finn adds. "When you unleash a bot across the internet, you don't know how other networks work, you don't understand other people's data and you don't know the rules for destruction," he says.
Anurag Kahol, CTO and co-founder of security firm Bitglass, offers a similar assessment. "Organizations should not rely on benevolent bots to be their saviors in instances of leaving databases connected to the internet exposed without password protections," he warns.
"Also, the point of threats such as bots that scour the internet for exposed databases is to make them look benign, but actually be capable of dealing great damage. Besides, even if this bot's goal was to protect patients, it's also possible that more malicious actors were able to discover this database before the data was destroyed."
The "meow" moniker comes from the bot overwriting the word "meow" repeatedly in each database index that it finds unsecured. By overwriting the data, the bot destroys the contents of the database, Diachenko explains.
The apparent meow bot incident involving the Adit data appears to be similar to another attack Diachenko and security researchers at Comparitech discovered a week earlier that targeted Hong Kong-based UFO VPN, Diachenko writes in his blog.
Risk to Patients
Although Diachenko reports that the database that apparently belonged to Adit appears to have been destroyed, Jon Moore, chief risk officer at security and privacy consulting firm Clearwater, says the scenario potentially presents "significant risk" to patients.
"The most common is identity theft, which can pose both a financial risk as well as a risk of introducing errors into someone's health records," Moore says. "There are also risks like someone using the information to extort a patient."
A forensic analysis would need to be conducted to try to determine exactly what happened to the exposed database, Moore says. "The results of the analysis depend on there being sufficient evidence available to analyze. It is unknown if that information is available in this case," he says.
Diachenko tells ISMG that the Adit database exposure was likely due to a misconfiguration during database migration or firewall settings being turned off. "Those are the usual reasons for this type of mistake," he notes.
A number of large data breaches have involved misconfigured IT. For instance, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows two of the 10 largest health data breaches reported in 2019 involved misconfigured IT. That includes incidents involving Puerto Rico-based clearinghouse and cloud services provider Inmediata Health Group and UW Medicine in Washington state.
"Misconfigurations are a widespread and growing problem," Moore notes. "Technology is becoming more complex, making mistakes more common."
Many organizations lack well implemented and enforced policies and procedures around change control and secure configuration management, he adds. "Large organizations may have hundreds or even thousands of databases, and it only takes one mistake for this type of event to occur."
Moore predicts a surge in data exposure mishaps as more organizations move their data to the cloud.
"Cloud providers make it possible to deploy a server with the click of a button, which is great unless the server is not configured properly and is then used to create, maintain, receive or transmit protected health information," he says.
Organizations should take a number of critical steps to help prevent mishaps involving the unintentional exposure of data on the web, Moore says.
"Developing repeatable processes and training on those processes is an important first step," he notes. "Organizations also should develop secure configurations and enforce their use with automated tools if possible. Organizations should also be running their own scans and have regular scans done by third parties to identify misconfigured and exposed devices."
Software vendors - such as Adit - "need to build security and privacy into the design process and it should be tested through that entire life cycle until the product is moved to end of life and is withdrawn from the market, says CynergisTek's Finn.
"Encryption should be built in - both in transit and at rest," he says. "Access controls are very often inadequate and require no 'refreshing' - you set up the account and there is no additional identity or access checking, no password testing, changes, validation that the user is still an authorized user. Until security and privacy actually matter, we won't see significant change."