Several of my recent data breach discoveries have resulted in little response from the affected companies. The data is usually secured shortly after my notification attempts, but a proper response should not simply end there.
For example, lets look at the Sheet Metal Workers Union. In early October, I found a database backup belonging to their Northern California branch which contained over 24,900 members names, social security numbers, phone numbers, addresses, ethnicity, beneficiaries, etc., etc. Basically, if I was an identity thief, I would never need another list of victims, and they left it completely exposed to the public internet through a passwordless rsync server.
In addition to that database backup file, there were PDF union member files named in the following fashion: “Last Name, First Name, Social Security Number.pdf”. Can you believe someone thought that would be a good idea?
So, on October 10th I left a voicemail with the Northern California branchs main office explaining the security blunder. The database and other files were secured sometime shortly thereafter (within a day or two). However, I havent heard anything in response from the Sheet Metal Workers Local 104. They have my name and phone number. They know that my message was accurate. Shouldnt they have some questions for me? Perhaps so that when they (hopefully) let their members know of the security failure, the union can at least be fully informed of every relevant detail. That seems like the reasonable thing to do.
Now, lets look at a slightly more complex example: Did you know that State Farm recently had a fairly serious data breach incident? Around 3,000 extremely detailed client files were leaking out onto the open internet. Its true, but technically the leak stemmed from one of State Farms Pennsylvania law firms, Goldberg Miller & Rubin, rather than directly from State Farm. There should be a redacted screenshot above this post illustrating the very personal nature of these files.
I spoke with Goldberg Miller & Rubin in mid-October, and the data was secured within a few hours, but I dont know for sure if the law firm ever told State Farm about the situation. This, as I recently learned, could lead to some hefty consequences. State Farm is more than just an insurance company. They actually run a bank these days. That binds State Farm to the high standards of security that a financial institution must follow. These standards are heavily regulated and can be viciously enforced.
What Im trying to say is this- “Hey State Farm, did Goldberg Miller & Rubin tell you about the leak? Feel free to get in touch with me if youd like to know more about the situation.”
I feel like ending on a high note, so lets move on to a much better example of incident response involving US Military related data: A retired colonel, named John Warden, runs a consultancy business called Venturist Inc. This company provides “strategic planning and execution training for management and leadership teams.” Colonel Warden is the architect behind the US Air Superiority strategy which was utilized during the first Gulf War and, from seeing the files which were exposed, it is apparent that he still provides some level of advice to the US Military.
Venturist Inc, like the previous two organizations mentioned in this post, were running an unauthenticated, publicly exposed, rsync service which was connected to an internal company file system. Screenshots, that I have redacted, showing the kind of files which could be found are included with this post (probably the last two images above, as Im never quite positive which order they will end up displayed on this page).
Col. Warden took quick action. He had an employee call me the day following my weekend breach notification email and voicemail message. During this call, the employee and I were able to figure out which storage device was causing the problem and, as an immediate quasi-fix, she unplugged the unit from its power outlet. I confirmed to her that as soon she unplugged it, the data became unreachable on my end.
Ill leave you with the appreciative email I received later that day from Col. John Warden himself. Keep this in mind the next time you hear about a security researcher being attacked in response to a breach notification:
Thank you so much for bringing this to our attention and double thanks for going to the trouble of finding emails and phone numbers. […] without you, we would have gone blithely about our business and been feeding data to all kinds of nasty people. If there is anything I can do for you, please let me know. Among other things, I would be delighted to send you a copy of my book Winning in FastTime. Just give us a FedEx address when you can. Again, many thanks and continued good luck with your research and reporting!
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org