Armed FBI agents raid home of researcher who found unsecured patient data
Prosecutors allegedly say he exceeded authorization in viewing unsecured FTP server. (lol, seriously)
FBI agents, one armed with an assault weapon, reportedly raided the home of a security professional who discovered sensitive data for 22,000 dental patients was available on the Internet, according to a report published Friday.
Justin Shafer, who is described as a dental computer technician and software security researcher, reportedly said the raid happened on Tuesday at 6:30am as he, his wife, and three young children were sleeping. He said it started when his doorbell rang incessantly and someone banged hard on his door. According to Friday’s report:
“My first thought was that my dad had died,” Shafer told Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”
With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told Daily Dot, “and the baby’s crib was only feet from the door.”
The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.
Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.
Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to Daily Dot, shows that federal agents took 29 items.
A FBI agent told Shafer the raid stemmed from an incident in February, when Shafer discovered a file transfer protocol server operated by Eaglesoft, a provider of dental practice management software. The FTP server reportedly stored patient data in a way that made it easily accessible to anyone. Shafer contacted DataBreaches.net and asked for help privately notifying the software maker, and once the patient data was secured, the breach notification site published this disclosure. In a blog post of his own, Shafer later discussed the FTP lapse and a separate Eaglesoft vulnerability involving hard-coded database credentials.
The FBI agent reportedly told Shafer that Patterson Dental, a parent company of Eaglesoft, was claiming Shafer had exceeded authorized access when viewing the publicly available data.
Friday’s report continued:
To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.
Shafer is now left wondering, is this an attempt to silence or discredit him? This would not be the first time a company seemingly attempted to chill Shafer’s speech about their security issues. And he would certainly not be the first researcher accused of criminal hacking.
It’s not clear if Shafer used any of the hard-coded credentials to access patient data, something that would likely be a technical violation of the Computer Fraud and Abuse Act. Even if he did, an early morning raid by armed agents on a sleeping family is a highly disproportionate response and a flouting of the type of discretion federal prosecutors claim they apply when pursuing CFAA violations.
This echos a case in the UK – which went to the European Court of Human Rights in Strasbourg. A lady running a website became suspicious of posts with links in the signature. She clicked the link and went to a site with child porn. Therefore being a good citizen she went to her local police station to report this. The police asked her if she’d seen the site – and she replied yes, that’s why she’s reporting it. SHE was charged and convicted as a sex offender for doing her moral duty.
The moral of the story for UK civilians is where you discover child porn, do not report it or you will gain a criminal record as a sex offender. Her case has been escalated to the ECHR to remove her sex offender status – and you have to wish her barristers the best of luck as this prosecution was an abhorrent abuse of police powers.
It seems the FBI are making a similar policing decision in considering the responsible actions of a security researcher as a crime. This is clearly a mistake of policing and public policy. Where you see a breach or data loss, you should be able to report this without fear of a prison sentence or criminal record.
I hope that both the EFF and civil rights movements support him. Even better, change your dentist so that your records are not held on the FTP server of the dental company in question. It’s the medical company who should be prosecuted for a blatant lack of Data Protection. It’s also a rule that you can’t operate an FTP server and be PCI complaint within banking, simply due to the insecure nature of FTP. If the dental company operate an FTP that is unsecured, well they should be fined, just as a bank would be fined.
In the “Alice in Wonderland” world of infosec, the good guys become the bad guys and the bad guys are generally the police, FBI and prosecutors. When a security researcher discovers a glitch and acts with integrity to fix the data loss, he is not the villain of the story. Those who create unsecured FTP servers containing medical data need to be fined and given criminal sanctions including putting the directors of the company in jail.