Forgot your password?
Security Government United States News

Virginia Health Database Held For Ransom 325

Posted by timothy
from the single-point-of-failure dept.
An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."
This discussion has been archived. No new comments can be posted.

Virginia Health Database Held For Ransom

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn&gmail,com> on Tuesday May 05, 2009 @09:09AM (#27829345) Journal

    The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom...

    Yes, but the phrase "Now I hear tell" indicates Virginia! What a conundrum! This case will never be cracked! The full note text for those too lazy to click through wikileaks:


    I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

    For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

    Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at and we can discuss the details such as account number, etc.

    Until then, have a wonderful day, I know I will ;)

  • Michigan (Score:5, Informative)

    by Darth_brooks (180756) * <clipper377@[ ] ['gma' in gap]> on Tuesday May 05, 2009 @09:12AM (#27829399) Homepage

    The state of Michigan had this same scenario play out two years ago. The only difference: it was part of one of their Cyberstorm security exercises. At a round table discussion, the acting IT infrastructure director talked about how the exercise opened. He sat down at his desk one day, opened his e-mail, and found a ransom note that mirrors exactly what's going on now in Virgina.

    It gets better. Certain key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail unless they were being contacted by a specific person. (Someone who was 'in' on the exercise, and who had the authority to say "ah crap, XYZ is down and it's not part of the exercise, call Bob and let him know we actually need him.")

    All in all it was an interesting discussion of "what if?" that I'd love to try out in my own workplace. Sure, if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity. But what do you do in the meantime? If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

  • by Anonymous Coward on Tuesday May 05, 2009 @09:20AM (#27829505)

    No doubt a reference to the FBI.

  • by Anonymous Coward on Tuesday May 05, 2009 @09:25AM (#27829565)
      HTTP/1.1 200 OK
      Server: Microsoft-IIS/5.0
      MicrosoftOfficeWebServer: 5.0_Pub
      PICS-Label: (PICS-1.0 "" l on "2002.01.30T11:07-0400" exp "2035.12.31T12:00-0400" r (v 0 s 0 n 0 l 0))
      Connection: keep-alive
      Date: Tue, 05 May 2009 13:22:56 GMT
      Content-Type: text/html
      Accept-Ranges: bytes
      Last-Modified: Fri, 01 May 2009 20:54:08 GMT
      ETag: "0d886f89ecac91:af5"
      Content-Length: 18149
  • Even if it was 10GBs worth of data, once an attacker can sneak into the system, it's possible to download it all without getting noticed... If the server has a fat pipe, it's likely nobody will notice a minor amount of additional overhead. However, there remains the question of how the attacker could know that there are no additional backups.

    There have been ransom cases like this before, dating as far back as the 80s I believe (perhaps even the 70s), where it was an inside job, and the attackers stole all the physical backup media. It's possible the attackers worked there, and thought they could get enough money this way to "disappear". This seems stupid to me, however. There just doesn't seem to be a way for them to get those 10 millions without being traced.
  • by Lumpy (12016) on Tuesday May 05, 2009 @09:42AM (#27829797) Homepage


    and here's somethign that will scare you.

    MOST Companies don't know what iron mountain is and what tape drives are for. a bulk of companies and corporations have incredible jokes they call their backup system/policy.

    They spend more on the CEO's toilet than they do on data security and integrity.

  • by wiredog (43288) on Tuesday May 05, 2009 @10:11AM (#27830261) Journal

    have you?

    I've been working for contractors for 10 years now, and am still surprised by the level of incompetence that some government IT folks demonstrate.

    Some are good. NOAA OMAO really has its stuff together. DoJ? Not so much..

  • Re:State control (Score:1, Informative)

    by Anonymous Coward on Tuesday May 05, 2009 @10:12AM (#27830267)

    Silvadene is avail in a generic. Yes it requires an Rx but you can get 50gm for near $10, nowhere near $80.

  • by Lord Ender (156273) on Tuesday May 05, 2009 @10:34AM (#27830605) Homepage

    It's true. Where I work, we have very good security. This is because we have very good security engineers who select (or write) the tools they use, rather than having some shitty pie-chart generating security app shoved on us by some middle manager who liked the sales presentation.

    Infosec really is an art at this point. Managers, don't tell the artist what equipment he can use. Your $40,000 SIM is going to be completely wasted, because syslog + a perl script will get him exactly what he needs in exactly the format he wants in less time than it takes to open the box on the SIM.

  • Re:Non-story? (Score:3, Informative)

    by cbiltcliffe (186293) on Tuesday May 05, 2009 @10:47AM (#27830803) Homepage Journal

    I don't know of anywhere where you need a licence to develop software.
    Using a PC doesn't require a licence, but the troll included it in the list in an attempt to prove his point.
    Watching TV, however, does require a licence in a number of countries [].

  • DHP != VDH (Score:5, Informative)

    by elbuddha (148737) on Tuesday May 05, 2009 @10:49AM (#27830849)

    Just for clarification, the Virginia Department of Health Professionals is not the same agency as the Virginia Department of Health.

    Each Virginia agency is its own little independent IT fiefdom, with all the disparity of budget and clue that entails. At least until their IT is taken over by Northrop Grumman, which is another clusterfuck entirely...

  • by Archangel Michael (180766) on Tuesday May 05, 2009 @11:30AM (#27831507) Journal

    I work for a school, and you're close to being right. However, it is worse than that, people who actually KNOW something more than the others are pushed aside and ignored.

    I'll give you a great example, here at where I worked. Five years ago, we began planning for a large infrastructure upgrade (gig MAN), and I suggested that as part of the planning we include VLANS so that we can implement proper VLANing when we did the actual upgrades.

    The ass kissing guy on our team who doesn't know shit, but has a dark brown nose, said we didn't need to VLAN anything (because he didn't understand what a VLAN was).

    Fast forward to today, we have just finished our gig MAN rollout and we don't have VLANS, and people are asking about things like VOIP and using digital tech to replace other communication protocols (Fire/Saftey, HVAC, etc), and we can't because there was no planning done handle it properly within VLANS.

    Nobody listened to me, because I don't speak with brown nose qualities. And the idiot who they listen to still doesn't know jack shit about anything.

    There is one other small part of this that nobody really knows about. We run our whole department on a shoestring budget with no understanding from anyone in Management about what we have to do, because we are nothing more than a necissary evil to them. In the eight years I've been here, we've doubled the number of servers and desktops we have to manage, without adding a single person. In fact, the last year, we've lost three people from our Dept, and are losing another, and only one has been replaced. And it is really starting to show up in the quality of work we can do. Right now, we're in a position of firefighting, with little or no preventative planning.

    And don't ask us about backups. It is only for a complete disaster. I pity the day when that happens, and we realize we didn't back up enough data.

    We have good people here, doing the best we can with what we have, for the most part.

  • by Kierthos (225954) on Tuesday May 05, 2009 @12:30PM (#27832603) Homepage

    It's a reference to the Sherlock Holmes story "The Bohemian Scandal", wherein, Holmes explains to Watson that the note that he (Holmes) has received was written by a German, based on the sentence structure.

Never say you know a man until you have divided an inheritance with him.