Feb 152019

Yet another healthcare provider has revealed that they were hacked by thedarkoverlord (TDO).  Dr. Robert Spies, a plastic surgeon in Scottsdale, Arizona, has notified HHS and his patients of the hackers’ attempt to extort the practice.

Although he does not name the hackers responsible in a notice on his web site, Dr. Spies explains:

On December 10, 2018, we became aware cyber criminals gained unauthorized access to our computer network. We immediately contacted the FBI and local law enforcement authorities and have been cooperating with their investigations. We also engaged computer experts to determine if our systems and information were at risk. The investigation determined that the criminals could have viewed or accessed documents that contained patients’ personal and medical information, including names, addresses, dates of birth, procedure notes, diagnoses, medications and health insurance numbers. For a small handful of patients, the criminals could have viewed Social Security, driver’s license and/or passport numbers, if provided for verification purposes, a credit card number or financial account number, or pre-op photos. At this time, there is no evidence that patient information has been misused.

His report is entirely consistent with other information DataBreaches.net had obtained about this incident. In December,  thedarkoverlord had posted a notice on KickAss that said:

We’ve hacked a high-end plastic surgery business located in Arizona, United States. This surgery center is owned by Doctor Robert J. Spies and operates on celebrity patients. His website is (www.azplasticsurgerycenter.com). We’ll share some of his data with yoou, since he’s refused our most handsome business proposition.

Link: (link redacted by DataBreaches.net, even though it is no longer live).

If you’d like to let him know how foolish he’s been, you can SMS his mobile at (redacted by DataBreaches.net) or his e-mail at (redacted by DataBreaches.net).

The sample data was a 531.8 MB archive with folders containing “Dictations”  (75 files), “Photos” (more than 160 photos),  and “Patient ID Verification” (4 files).  The Dictations folder and Photos folder contained more than one file or image for some patients, so these were not all unique patients in each folder.

Many of the photos in the archive released by the hackers would permit identification of patients because in some cases, you can see the patients’ faces, and in other cases, the filenames for the photos may contain the patient’s first initial and last name.

DataBreaches.net is not reproducing any of the data from the archive the hackers provided.

Inspection of the meta data suggests that the newest dictation files were created December 5, 2018 and related to services or consultations conducted on November 28, 2018.

As with their hack of the London Bridge Plastic Surgery Center,  TDO may have hoped that people — especially celebrities — would pay good money not to have their before, during, or after pictures of plastic surgery released publicly.  Whether TDO is privately trying to extort patients directly is unknown to this site, but Dr. Spies seems to have refused to pay them, and has reported the incident to law enforcement, HHS, and his patients.  According to his notification to HHS,  he has notified 5,524 patients.



Feb 132019

Nicole Rekant and Stevan Pardo write:

The proliferation of data breach cases in Florida courts has focused on Article III standing. To meet the pleading standard under Article III, a plaintiff must allege sufficient facts to show the injury-in-fact is concrete, particularized, actual, and imminent, not conjectural or hypothetical. An allegation of imminent injury may suffice if the threatened injury is “certainly impending” or there is a “substantial risk” harm will occur, as in Clapper v. Amnesty International USA, 568 U.S. 398, 414 n.5 (2013). The injury alleged also must be “fairly traceable to the challenged action of the defendant,” see Resnick v. AvMed, 693 F. 3d 1317 (11thCir. 2012). A showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement under Resnick. However, allegations of possible future injury are not sufficient. Eleventh Circuit data breach cases such as Resnick established the legal principle that a plaintiff who alleges only speculative, not actual, identity theft will not have standing.

For those who didn’t know this already, one of thedarkoverlord’s hacks wound up in court with an opinion unfavorable to plaintiffs on Article III standing:

Florida cases continue to maintain this threshold for standing. In Stapleton on behalf of C.P. v. Tampa Bay Surgery Center, 2017 WL 3732102 (M.D. Fla. Aug. 30, 2017), a hacker breached a surgery center’s database and published 142,000 patients’ sensitive information online. The plaintiffs did not allege that any of the sensitive information was used. Instead, they alleged they were at an increased risk of having their identity stolen and were forced to incur credit monitoring/identity theft protection costs. After the data breach, the center provided free identity protection services to the plaintiffs and other potentially affected patients.

The court found that the plaintiffs’ allegations were insufficient to show an injury was certainly impending or that they had a substantial risk of imminent injury. First, the plaintiffs were unable to identify a single patient whose sensitive information was misused as a result of the data breach. Second, the center lessened the plaintiffs’ risks of imminent injury by providing free credit monitoring to all potentially affected persons. Third, the court concluded that the plaintiffs’ allegations relied on a chain of inferences that were too attenuated to constitute imminent harm. The plaintiffs asked the court to find that their sensitive information was viewed online, that someone downloaded that information and would use it, and that the center’s protections would not prevent the misuse. The court did not find an injury was impending and dismissed the amended complaint.

Maybe I should go back and take a closer look at that case. Did the court know that the database had been dumped by the hackers, so that it was possibly in many people’s hands? Would that increase the risk of imminent injury? As I reported on May 4, 2017 when the hackers publicly dumped the database and tweeted a link to it:

The .csv-formatted database contains more than 142,000 patients records. And yes, date of birth and SSN were in plain text. There did not appear to be any health insurance information in this particular database.

So the entity provided credit monitoring services? So what if they did? With all that personal information in plain text and available for download, nothing stops criminals or bad actors from sitting on the information until the year is over and then starting to misuse it. But of course, the defense would argue that that is not “imminent” injury, and hence, there is no Article III standing.

Somehow this system continues to not work well for consumers. And somehow, Congress, in its perpetual ineffective dysglory, continues to not address the concerns.

Read more on Daily Business Review.

Feb 102019

Remember when it seemed like every day we were reading about ID theft and tax refund fraud schemes involving rogue employees of tax preparation firms?

Yeah, well it’s still a thing.  Here’s a story about a former rogue employee at Jackson Hewitt in McKinney, Texas.  If you or someone you know may have used that firm’s branch or a Jackson Hewitt office in north Texas,  you should check your credit report and take steps to protect yourself.

And in other unsettling news involving a Texas tax preparer,  on August 2 of 2018, thedarkoverlord tweeted that they had hacked a Hurst, Texas firm called CB Tax Service.  But they hadn’t hacked that firm at all, as I realized when I started investigating a sample of data the hacker(s) had provided to this site.

This site’s investigation indicated that the firm that they did hack was a firm with a similar name, C & B Tax Preparation.  That firm,  owned by one Wynora Johnson, had and has an address in Dallas.  But a number of attempts to reach Ms. Johnson by phone failed — numbers were disconnected and the one working number was answered by someone who said she knew nothing about Ms. Johnson or that business.

So if you were a customer of C & B Tax Preparation in Dallas,  you would be prudent to assume that thedarkoverlord is in possession of any personal and financial information you shared with that tax preparer.  And you would be prudent to assume that if thedarkoverlord failed to successfully extort the firm  (and for now, I will assume that they failed because they didn’t even have the right victim identified), then your personal and financial data may be up for sale on the dark web at some point.  The sample data they had sent me have a number of image files as well as copies of completed tax-related forms and bank information.  The image files include images of people’s driver’s licenses with name, address, DOB, and picture, as well as images of their and dependents’  Social Security cards.

DataBreaches.net did alert law enforcement in Dallas about the incident in the hopes that they would be able to notify the business or its owner.  This site never received any follow-up, though, as to whether the business or its owner was ever reached — or, even more importantly — whether the business’s customers have been contacted and notified that their information is in the hands of thedarkoverlord. So if you know someone who used that service, you might want to encourage them to take steps to monitor their credit report and take steps to protect themselves.

Nov 022018

I thought I posted something on this already, but apparently I didn’t, so if you hadn’t heard already, an Australian shipbuilder who also has contracts with the U.S. Navy was hacked and the hacker made extortion demands that the firm has refused.

Jeremy Kirk reports:

Australia’s largest defense exporter says it hasn’t responded to an extortion attempt after ship design schematics were stolen by a hacker.

Austal, which is based in Henderson, Western Australia, is one of the country’s largest shipbuilders; it has built vessels for the U.S. Navy.

The company, which is listed on Australia’s ASX stock exchange, announced the breach late Thursday. The announcement came just a day after a security researcher in France posted screenshots on Twitter of the purported stolen data.

Austal says the material is neither sensitive nor classified and that it has taken steps to secure its data systems.

Read more on GovInfoSecurity.

Here is some of what appeared on Twitter a few days ago:

Is TheDarkOverlord Behind This?

Because of the nature of the crime – a hack and extortion attempt – some people have wondered whether this might be the work of TheDarkOverlord.  The question is understandable, particularly since I reported almost exactly one year ago had TDO had attacked  U.S. Navy defense contractors, including ATS, whose METBENCH software was used on warships. Now another firm that does defense work for the U.S. Navy was attacked? It’s understandable that people would wonder, except if you look at the listings posted on Twitter, those listings are not consistent with TDO’s sales listings, although the April, 2016 join date is intriguing. But selling such important material for 1 BTC?  Would TDO sell for so little? It’s unlikely, but it would be a good way to put pressure on Austal – offer the data so cheaply that lots of people might buy it.

When asked directly whether they were behind the attack and extortion, a TDO spokesperson declined to confirm or deny. But they were willing to make a statement about attacking defense contractors, telling DataBreaches.net in an e-mailed statement:

U.S. Defence contractors are easy pickings and they always house very juicy materials that competing nation-states are very interested in. At some times they can be a tough nut to crack, but given enough time, we always crack the nut. Naval contractors are among the most important contractors to breach as surface and sub-surface warfare vessels allow nation-states to extend their attack capabilities in a very mobile and speedy way.

Sep 182018

Amy L. Hanna Keeney of Adams and Reese writes about an opinion in a court case that stemmed from one of TheDarkOverlord’s hacks: their attack on Athens Orthopedic Clinic (AOC). I had covered that breach extensively, including commenting on the fact that AOC did not offer any free services to patients whose data had not only been stolen, but had either been publicly dumped on Pastebin and/or reportedly put up for sale on dark net markets.

As Keeney explains in her article, only one of three named plaintiffs in Collins, et al. v. Athens Orthopedic Clinic actually alleged that they had actually experienced fraudulent charges on any of their accounts, and the complaint didn’t actually claim that the fraud had a causal connection to the hack. Basically, the plaintiffs were alleging that they incurred the cost of identity theft protection, credit monitoring, and credit freezes.

Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.

AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).

Disappointingly to privacy advocates, the court held that just an increased risk of harm was not sufficient to grant the plaintiffs standing.

The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”

The trial court’s dismissal of plaintiffs’ complaint was affirmed.

That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.

Read more on Daily Report.

From my perspective, the decision is an unfortunate one that once again fails to appreciate the harm and costs patients and consumers incur from a breach.