Os dados pessoais de 2.373.764 pacientes foram expostos on-line depois da Hova Health, uma empresa de telemedicina com sede no México, configurar de forma errada uma base de dados MongoDB.
O investigador Bob Diachecko fez a descoberta através do Shodan.io, que verifica a Internet em busca de portas abertas em dispositivos conetados e servidores web. O BD estava disponível publicamente e podia ser acedida ou alterada por qualquer pessoa, mesmo sem uma password.
Os dados pessoais expostos compreendiam a seguinte informação:
- Full name and gender;
- CURP number (i.e. Personal ID Code Number, a unique identity code for both citizens and residents of Mexico);
- Insurance policy number and its expiration date;
- Date of birth;
- Home address;
- ‘Disability’ and ‘migrant’ flags
As representações das palavras-passe para contas de administração e e-mails também estavam contidas na BD, o que facilitou Diachenko para notificar o proprietário, a Hova Health.
“All the areas that work on this project are reviewing exactly what happened and checking all our infrastructure to avoid this kind of event,” disseram os administradores da Hova Health disseram a Diachenko.
Os dados foram removidos em poucas horas e a empresa tomou a devidas providencias de segurança.
O investigador disse ainda que os dados contidos na BD parecem pertencer a um serviço de saúde governamental.
Interestingly, all the patients’ information that I reviewed was related to the state of Michoacán. Collection in the database was named after Efimed (‘efimed_mich_8020’), a type of records which is part of the SRS (Health Registration System) platform (according to this site). That all combined doesn’t answer the question who was the final owner of the database left without any password protection.
Mais detalhes no LinkedIn do investigador.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.