Special Ops Healthcare Worker Breach
Potomac Healthcare Solutions provides healthcare workers to the US Government through Booz Allen Hamilton (you know, Snowden’s old employer). It is not presently known why an unprotected remote synchronization (rsync) service was active at an IP address tied to Potomac. I do know that when I called one of the company’s CEOs this past Thursday to report the exposure, he did not seem to take me seriously.
At the end of our short conversation he asked me to send an email. So, I did. After we hung up, I sent an email to Potomac’s two co-CEOs detailing the breach and included their Social Security Numbers, home addresses, dates of birth, and phone numbers. Here’s the intro:
Hello again Mr. Joseph,
You and I just spoke over the phone a couple of minutes ago. I described to you a recent publicly-accessible collection of data I have discovered that appears to be internal Potomac Healthcare files. You requested that I send over an email. I have also put Mr. Burden as a recipient and attached a file that should demonstrate that this is not a hoax.
I am, primarily, concerned for national safety's sake as there are things like names, email addresses, phone numbers, and Social Security Numbers for people that appear to work both directly at your facilities and at US military installations.
I figured that would do the trick. Much to my surprise, the unprotected file repository was still up and available an hour later. It shouldn’t take over an hour to contact your IT guy and kill an rsync daemon.
That last point is especially true when your publicly exposed files contain, in addition to healthcare workers, the names and locations of at least two Special Forces data analysts with Top Secret government clearance.
I decided to, basically, call Potomac’s boss. I’ve made a few contacts at various government agencies, some more helpful than others, most not wanting their names or departments to be mentioned… ever. So, I went through my email archives and found the appropriate phone number.
Potomac’s files went offline about 30 minutes later. I may never know for sure if that second phone call had anything to do with the documents finally being secured, but I’d like to think it might have helped.
It’s not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information. Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it. Loose backups sink ships.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org or email@example.com