A cyber security expert says doctors’ personal information and identity documents could be sold on the dark web or used to “buy or prescribe” drugs.
Hundreds of doctors and medical staff received a worrying letter recently warning them that a worryingly large amount of their personal information had been mistakenly exposed online due to a website misconfiguration last month.
According to The Guardian, which broke the story on Wednesday (10 September), 67 doctors from the south-eastern Sydney district and more than 500 medical staff from the Illawarra Shoalhaven district had their data exposed during the incident.
“Personal information, including passports and driver’s licences for more than 500 health professionals, including senior doctors, is an incredibly dangerous dataset. Other than increasing the risk of impersonation, fraud, and future phishing campaigns, this breach is rather unique because it opens the door to the possibility of an attacker using a doctor’s identity to buy or prescribe drugs. That kind of information would also be incredibly valuable if sold on the dark web.”
The incident is a troubling one as it didn’t require the exploitation of a vulnerability or a complex attack chain. It was, in effect, a glaring but no doubt simple mistake.
“In many cases, it’s not malicious intent but stretched resources, overworked staff, and weak processes that let these mistakes slip through. Unlike a major ransomware attack that sets off alarms, a quiet misconfiguration can sit unnoticed for months or years until someone stumbles across it,” Novak said.
Original article can be found here.