The web site of Al Zahra Private Medical Centre in the United Arab Emirates was reportedly hacked last month by the individual calling himself “websites-hunter” (@ on Twitter). The hack was announced on Twitter on August 31 and on Pastebin on the same day.
The Al Zahra Private Medical Centre is part of the health services network of the Gulf Medical Projects Company and provides outpatient services.
Inspection of the sample data WebsiteHunter provided indicated that much of the data in the sample was corporate or routine business information, but a few files did contain personal information:
– a spreadsheet that contained information on those applying for positions, including their name, title, email address, mobile telephone number, message, and whether they had attached their resume. There were over 4,400 entries in this database beginning in July 2011, with the most recent being time-stamped July 16, 2016; and
– a spreadsheet with feedback comments that included date of visit, commenter’s name, email address, mobile telephone number, their message, and nationality. Many of these comments contained specific medical details such as the reason the commenter had been seen at the center or their difficulties with insurance issues. The 644 entries in this database covered the period of April, 2011 to July 6, 2016. Because of the very personal nature of the comments, DataBreaches.net is not reproducing any of them, even in redacted form.
Finding no statement on the web site acknowledging any data security incident, DataBreaches.net attempted to notify the center through their web site contact form on Sept 5 and to seek confirmation of the claimed hack.
This post will be updated if additional information becomes available.
For now, there is no indication as to the method of attack, but @WebsitesHunter’s profile makes clear his mission is to embarrass and expose poor security.