COVID-19 Data Compromised in 'BlueLeaks' IncidentSouth Dakota Agency Confirms Patients' Virus Status Leaked
A South Dakota agency, one of 200 law enforcement agencies affected by the so-called “BlueLeaks” hacking of a web development firm in June, has disclosed that COVID-19 patient information was leaked (see: Police Data Leaked: Sign of Times?).
See Also: A Guide to Passwordless Anywhere
Last week, the South Dakota Department of Public Safety’s State Fusion Center began notifying an undisclosed number of individuals that their COVID-19 status, as well as their names, addresses, and birth dates, was compromised in a breach of Texas-based web developer Netsential.
State owned and operated fusion centers serve as focal points for the receipt, analysis, gathering and sharing of threat-related information among state and local governments and the private sector.
This spring, the South Dakota fusion center, using Netsential’s services, developed a secure online portal to assist first responders in identifying COVID-19-positive individuals, the center says in a notification letter sent to those affected.
"Law enforcement officers were not given a list of COVID-19 positive individuals but were able to call a dispatcher to verify whether a particular individual was COVID-19 positive," the center explains.
The COVID-19 related information was maintained on Netsential’s secure servers, and access to the information was restricted to South Dakota officials who received training in handling the data, the statement adds.
"Before uploading the information to Netsential, the fusion center took steps to ensure that if a third party ever accessed the file separately from the online portal, individual health information would not be disclosed," the notification says. "However, when processing this data, Netsential added certain labels to the file that could allow a third party to identify you and your COVID-19 status if the file was ever removed from Netsential’s system."
Netsential’s "security failure" allowed unauthorized access to its system by a third party, the notification adds.
A South Dakota fusion center spokesman declined to share further details. The incident is being investigated by the FBI, he says.
The FBI did not immediately respond to a request for comment, nor did Nesential.
The Department of Homeland Security on June 29 issued an alert about "BlueLeaks" hacking of Nesential, saying a criminal hacker group called Distributed Denial of Secrets – also known as "DDS" and "DDoSecrets" - on June 19 "conducted a hack-and-leak operation targeting federal, state, and local law enforcement databases, probably in support of or in response to nationwide protests stemming from the death of George Floyd."
The hacking group leaked 10 years of data from 200 police departments, fusion centers and other law enforcement training and support resources around the globe, the DHS alert noted.
The 269 GB data dump was posted on June 19 to DDoSecrets' site, the hacking group said in a tweet that has since been removed. The data came from a wide variety of law enforcement sources and included personally identifiable information and data concerning ongoing cases, DDoSecrets claimed in a tweet.
Several days after DDoSecrets revealed the law enforcement information through its Twitter account in June, the social media platform permanently removed the DDoSecrets account, citing Twitter rules concerning posting stolen data.
Hacktivist Groups’ Methods
Prior to its Twitter account being suspended, DDoSecrets said on its Twitter page that its mission was publishing "materials submitted by sources, both leakers and hackers. We provide a stable platform for the public to access data and an anonymity shield for sources to share it, but are uninvolved in the exfiltration of data."
DDoSecrets' actions mirror those of the loosely knit hacktivist group Anonymous that has posted pilfered data from governments, politicians and financial institutions (see: Anonymous DDoS Attacks Spread, But What's the Impact?).
Among other agencies apparently affected by the BlueLeaks incident is the Iowa Law Enforcement Academy, according to a series of DDoSecrets tweets that have been removed by Twitter. On June 26, the Iowa Law Enforcement Academy issued a breach notification statement about the incident, saying the incident may have compromised “roster information” including law enforcement personnel’s names, employing agency, driver’s license numbers and rank or position.
More to Come?
Some experts say the BlueLeaks incident is an example of the type of hacktivist activity that could become more prevalent as the global pandemic persists and civil unrest in the U.S. continues.
"Hacktivists are most motivated during times of high political, socio-economic or socio-cultural tensions - such as we have now - and, consequently, it would not be at all surprising were there to be an uptick in activity," says Brett Callow, a threat analyst at security firm Emisoft.
The most likely targets for hacktivist-related activities are political parties, government entities and private sector organizations that support or adopt a contentious position, he notes.
“At this particular point in time, state-backed actors and for-profit criminal enterprises probably represent a much greater security risk to both the private and public sectors,” he says. Those threat actors will be seeking to influence political outcomes and take advantage of the turmoil that the COVID-19 pandemic has caused, he adds.
"This really is a time at which organizations should look to batten down the hatches as the threat level is as high as it has ever been,” he says.
In the healthcare sector, one of the most significant hacktivist incidents involved a distributed denial-of-service attack in 2014 on Boston Children's Hospital and Wayside Youth and Family Support Network in Framingham, Massachusetts, which was launched in protest of a controversial child custody case involving both organizations.
The attack disrupted the hospital's network for at least two weeks and hampered internet connectivity for other area hospitals.
In January 2019, the hacktivist who launched the attack - Martin Gottesfeld, a 35-year-old biotech professional, was sentenced to serve 10 years in federal prison and pay nearly $443,000 in restitution.