author photo
By Bruce Sussman
Tue | Aug 25, 2020 | 8:35 AM PDT

If you've watched any action flicks during the pandemic, you've probably seen it: a battle between different sides results in a lot of collateral damage.

We are already seeing some of the collateral damage in the real life battle between criminal hackers and law enforcement across the United States.

And in at least one state, we know residents have now had their COVID-19 status hacked and exposed. 

More fallout from the Netsential hack and data breach

The big picture here is about what some call the "Blue Leaks" case, which you could think of as a third-party hack against law enforcement, a supply chain attack against law enforcement, or both.

A self-titled hacktivist group going by the name Distributed Denial of Secrets (DDoSecrets) claims it stole 269GB of data from police agencies across the United States by attacking their common web developer, Netsential.

"Ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more," the group wrote on its Twitter account, which is now suspended.

The group also claimed it stole data on individuals and COVID-19. And now we have confirmation, from one state at least, this is true.

COVID-19 data on individuals hacked and stolen

Some states have what are called Law Enforcement Fusion Centers. Many of them now include a database of which residents have tested positive for COVID-19.

In its data breach notice, the South Dakota Department of Public Safety explains the purpose:

"This spring, the Fusion Center, using Netsential's services, developed a secure online portal to assist first responders in identifying COVID-19-positive individuals for their situational awareness during calls for service.

Law enforcement officers were not given a list of COVID-19 positive individuals but were able to call a dispatcher to verify whether a particular individual was COVID-19 positive."

From South Dakota, at least, hackers successfully stole this information. And what's worse, it may be searchable online.

"The Fusion Center believes your name, address, birth date, and COVID-19 status was on the list that was compromised during this breach, which means this information may continue to be available on various internet sites that link to files from the Netsential breach."

State says third-party vendor had 'security failure'

Perhaps you're thinking this is a case of a small state with inadequate cybersecurity or privacy protections. Or maybe they were challenged by Identity and Access Management issues. 

However, South Dakota is defending itself on these fronts and squarely pointing the finger at Netsentials, its third-party vendor, as we read on:

"This information was maintained on Netsential's secure servers and access to the information was carefully restricted to a select number of South Dakota officials who received both training in handling the data and an individual password for accessing it.

Before uploading the information to Netsential, the Fusion Center took steps to ensure that if a third party ever accessed the file separately from the online portal, individual health information would not be disclosed."

That was the defense of South Dakota part. Now, to the finger pointing:

"However, when processing this data, Netsential added certain labels to the file that could allow a third party to identify you and your COVID-19 status if the file was ever removed from Netsential's system. Netsential's above-mentioned security failure allowed unauthorized access to its system by a third party."

According to the state, the vendor tagged the data in such a way that residents and their COVID-19 status can now be linked by those searching for this data. 

There is also more. In spite of all that we know about this data breach, South Dakota says its residents are still waiting on a breach notification from the company.

"We have informed Netsential it has a responsibility under South Dakota law to notify you of the breach of your data, but Netsential has not confirmed it will do so. Given the sensitivity of your information, the Fusion Center is notifying you directly, so you receive notice even if Netsential fails to act."

What is Netsential saying about the Blue Leaks data breach?

SecureWorld has reached out to Netsential asking for an update on its data breach. The company's entire website has been reduced to a single page, which is a troubling sign for a company that maintains critical law enforcement databases. 

netsential-statement

"Netsential can confirm its web servers were recently compromised... Inasmuch as this is an ongoing investigation, and due to the sensitivity of client information, Netsential will provide no further statement while the matter is pending."

That apparently means states will have to make their own statements, instead.

Read the South Dakota data breach notice related to Netsential.

Comments