Nevada state government’s website was leaking thousands of social security numbers, and highly sensitive personal data. They said it was a hack. Spoiler alert: It wasn’t.”
By Darrell Pruitt
Years ago, I recognized Justin Shafer as a national hero. Today, Zack Whittaker, Security Editor for ZDNet, posted an article for Zero Day which supports my opinion. It’s about time Justin got some recognition for the millions of potential identity thefts he thwarted – even at the risk of personal harm.
“Stop calling everything a ‘hack’ – Nevada state government’s website was leaking thousands of social security numbers, and highly sensitive personal data. They said it was a hack. Spoiler alert: It wasn’t.”
There’s something that’s been bugging me all day.
On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government’s website was leaking thousands of applications from its medical marijuana dispensary program.
Shafer found the leaky web portal by using Google to search government websites for words like “social security,” which anyone can do with relative ease. He invariably found one listed web address, ending in a number, which pointed to a PDF file purporting to be an medical marijuana dispensary application. Altering the number in the web address let anyone to view different applications.
Whittaker describes how later – even after the leak had been confirmed by multiple news sources – Nevada chose to call the leak a hack. The difference between a hack and a leak is whom to blame – a hacker or a careless government employee.
Shafer, and others who have brought matters of insecurity to their owner’s eyes, often face backlash or legal threats from the very people they’re trying to help.
Incidentally, Shafer had been accused of “hacking” before, simply for informing a company, Eaglesoft, a provider of dental practice management software, that it was leaking confidential patient data by storing it in an unsecured FTP folder, available for anyone with an internet connection to see. His house was raided by the FBI as a result. But, unsurprisingly, no charges have been over the matter.
Nevertheless, Shafer’s computers which were confiscated in the raid have yet to be returned. Shafer fears that his family photos have been lost.
Think about it. Justin stands accused of exceeding authorized viewing of publicly-available information. That is not a hack. Nevada and the rest of the nation must learn that if identities are stored on the curb, a thief is more likely to use them rather than to report the breach.
D. Kellus Pruitt DDS