Two days after reporting that 655,000 healthcare records were found for sale on the dark web, the site DeepDotWeb said today that another insurance database with at least 9.3 million patient records is being shopped around by an anonymous hacker.
Over the weekend, a hacker using the name "thedarkoverlord" was offering for sale records taken from databases managed by three healthcare organizations in Missouri, Georgia and the Midwest, according to the site. The hacker, who was seeking payment in Bitcoins with a value ranging from around $100,000 to $395,000, reportedly told DeepDotWeb, "There is a lot more to come."
That same hacker appeared again today on a dark web market with an offer to sell another database with more than 9.3 million patient records for 750 Bitcoins, valued at around $485,000. The hacker's market listing claimed the plaintext data belonged to "a large insurance healthcare organization in the United States."
'Very Particular' Zero-Day Exploit
According to DeepDotWeb, the hacker selling the healthcare data claimed the information was accessed through a zero-day vulnerability in the Remote Desktop Protocol (RDP) used to connect devices across a network. A proprietary protocol developed by Microsoft for Windows-based applications, RDP provides users with a graphical interface for managing computer-to-computer communication.
Speaking with DeepDotWeb via Jabber over the weekend, thedarkoverlord reportedly said he was able to access the healthcare records due to "an exploit in how companies use RDP. So it is a very particular bug. The conditions have to be very precise for it."
As business records have become increasingly digitized and network-connected, the risks of breaches, thefts and data losses have grown. Healthcare data in particular offers the potential for hackers to profit via ransomware or fraudulent claims.
"[W]e have seen how all kinds of illegal goods are traded through black market digital sites, some on the dark net, taking advantage of the anonymization possibilities given by the technology, and many of them on the open net," Fernando Ruiz, head of operations for the European Cybercrime Centre, said in this year's "2016 Data Breach Investigations Report" from Verizon. "There is a clear demand for stolen data and, therefore, there will always be criminals ready to supply and satisfy this demand, especially if we take into account the disproportion between the risk-cost-profit, as data can be easily stolen and transmitted."
'Bit of a Data Breach Yard Sale'
A check of some of the information included in the recently hacked healthcare databases appears to be old, although some still appears to be accurate, a security blogger who goes by the name "Dissent" wrote yesterday on DataBreaches.net. The blogger noted she had also contacted "one well-known insurer" to find out whether any of the hacked data came from its systems, but had not yet received a response.
DeepDotWeb reported today that thedarkoverlord said in an encrypted chat that he had tried to contact the hacked healthcare organization but "they declined to respond." He added that the price of the records was "a modest cost" compared to the damage a large-scale leak could cause, and indicated more hacked data could be expected to appear up for sale.
These latest hacked database reports -- while they have yet to be validated -- appear to involve attempts to sell large volumes of old information taken in breaches some time ago, Christopher Budd, the global threat communications manager at the security firm Trend Micro, told us today. He pointed to last month's attempts to sell on the dark web 117 million user e-mails and passwords taken in a data breach at LinkedIn four years ago.
"It's a bit of a data breach yard sale going on," he said. Budd noted that while no healthcare organizations have yet confirmed the loss of data being offered for sale recently, the RDP protocol is "certainly a vector we've seen people exploit in the past." For now, however, the only evidence for such a breach is coming from the hacker, so more evidence is needed, he said.