Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security Databases Government Medicine

Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com) 146

Long-time Slashdot reader t0qer writes: I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.

"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
This discussion has been archived. No new comments can be posted.

Hackers Corrupt Data For Cloud-Based Medical Marijuana System

Comments Filter:
  • Some idiot used Windows, didn't bother upgrading some old software because it was closed source and upgrades expensive and got what they deserved.

    • Like it would have made any difference if they had an outdated Linux distribution.

      • by guruevi ( 827432 )

        You can update outdated Linux distributions for free, there is no valid excuse to using old and outdated open source software. Closed software often has the drawback that you're "locked in" by whatever vendor, they can increase the upgrade price ten-fold and you'd have no options.

        On the other hand, even outdated Linux distributions pose a significantly lower risk of a successful hack.

    • Fuck you. No one deserves to have a piece of shit corrupt their data "because I can."

      People that do shit like that on purpose deserve a bullet to the back of the head.

      • by guruevi ( 827432 )

        So you leave your front door wide open when you go on vacation because no piece of shit should walk in and steal or vandalize your stuff? Yeah, whoever does that intentionally and maliciously deserves to be punished (although a bullet is a bit far) but the 'owners' are also responsible to take precautions.

  • The company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority."

    If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority

    • by Anonymous Coward

      Because not everybody is perfect, you smug asshole.

      • by krelvin ( 771644 )

        Not being smug at all. I've had my medical (hospital) information, insurance (2 different insurance companies), 3 credit card companies hacked over the period of the last 2 years and each time, they always say the same thing. Security is our top priority , but then you find out it really wasn't. They were doing unsecure processes which is how they got hacked, had been warned about their practices etc...

        I have no choice if I use these services (other than to not get medical, insurance and use a credit ca

        • Or, you know, it's just hard to secure things.

          I'm not saying they couldn't do a better job, but there are a lot of competing requirements. For example, for medical information, how far do you lock it down? If there is someone crashing in a hospital, you have to be able to pull up their information - or they might die. For credit cards, not only are there a ton of retailers that have to access them, but they also have to handle companies with shared cards, different state and federal regulators, and a ton

    • by PolygamousRanchKid ( 1290638 ) on Sunday January 15, 2017 @11:58AM (#53672133)

      "I was gonna keep our clients' data secure . . . but then I got high . . ." -- Afroman, https://www.youtube.com/watch?... [youtube.com]

    • by bagofbeans ( 567926 ) on Sunday January 15, 2017 @12:00PM (#53672139)
      So we have:

      Keeping our client's data secure has always been our top priority

      then

      all client sites have been migrated to a new, more secure environment

      If the first was true, the second wasn't necessary.

      • If the first was true, the second wasn't necessary.

        Not at all true. If I have a budget of $5m and dedicate $2m to security, $1.9m to operations, and $1.1m to other then security is still my top priority, even though spending on it can be increased and it could be made better.

        Absolute security is not a thing.

        • by Anonymous Coward

          If I have a budget of $5m and dedicate $2m to security, $1.9m to operations, and $1.1m to other then security is still my top priority, even though spending on it can be increased

          Not at all true. If that $2 goes to performing the minimum required, while the $1.9 and $1.1 goes to extravagances, security is not your top priority. Largest cost != highest priority.

      • "Secure" and "Available" are related but not synonymous.

        It is possible to have a system that is secure against data exfiltration, but still susceptible to intentional corruption. I'm not saying this is necessarily true in this case, but it is certainly a possibility.

        Fear of data leakage is just one of many reasons why a black market will continue to exist, even with "medical" and decriminalization. There's still a social stigma against pot and THC users (stronger in certain areas and cultures than o

    • I assume HIPAA rules apply since this is medical usage. Were they adhered to?
      • by guruevi ( 827432 ) on Sunday January 15, 2017 @12:21PM (#53672245)

        HIPAA rules do not describe how to secure your data. It only tells you that you need to secure your data and the procedures to follow when you're not compliant. It doesn't prescribe a particular encryption or what needs to be encrypted.

        Case in point, most hospitals do not use encryption when exchanging private health information (because systems from idiots like EPIC are simply incapable of it). HIPAA just says you have to document it and mitigate. In most cases, the mitigation is "our internal network is secure, external sites use VPN" and then it doesn't matter the external VPN vendor only supports DES (yes, still single DES in 2016/2017), it's documented as being "encrypted", any hacking would be the result of 'evil hackers' which they can't do anything against and then it becomes the FBI's responsibility to catch the criminals, the hospitals have done their due diligence and don't need to report breaches because they have gone according to HIPAA standards.

      • I assume HIPAA rules apply since this is medical usage. Were they adhered to?

        You forgot the quotes around "medical". In 99.9999% of cases it has nothing to do with medicine or treating any illness. If this really was medicine it would sold through a normal pharmacy and have FDA approval and double blind efficacy tests like every other drug. While I do not dispute that there are likely medicinal uses for some of the ingredients in marijuana, let's not pretend that the VAST majority of people who are "seeking treatment" are anything other than just recreational users. I have no pr

        • ^I'm sure they are not all medical patients as well, but if you are going to distribute under the guise of medical practice, then you need to follow applicable rules, so my question still stands. It appears I've gotten a good answer from another poster.
        • > no problem at all with safe recreational use but calling it "medical marijuana" is just an insult to the intelligence of anyone with a functioning brain.

          No problem, then. The term is used by and for potheads, not for people with a functioning brain.

          Many years ago, I was into NORML and the marijuana legalization movement. (We called it "decriminalization".) I wrote some articles that were well received by my NORML peers. Looking back on what I wrote now, I think "what the hell? Wtf was I smoking when

        • Comment removed based on user account deletion
        • We have been here before. Late in the Prohibition era, people were getting prescriptions written for "medical beer."
          http://www.smithsonianmag.com/... [smithsonianmag.com]

        • by moeinvt ( 851793 )

          " In 99.9999% of cases it has nothing to do with medicine or treating any illness. "

          Oh come on! That's an exaggeration and you know it. It's "medical marijuana" because it requires a prescription.

          The f***ing FDA doesn't give a damn about The People. It is owned by the big pharmaceutical corporations! A majority of Congress is likewise owned based on their recent bi-partisan vote to keep the ban on importing drugs from Canada. Note that these same corporations are funding anti-decriminalization efforts

      • by fred911 ( 83970 )

        "I assume HIPAA rules apply since this is medical usage. Were they adhered to?"

          I don't think you can use protection of a Federal Act to protect yourself from a Federal Crime. Somehow, I don't think dog hunts.

    • If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority

      Their top priority is obviously making a profit, just like any other company. Data security is only a priority insofar as it affects their ability to continue to make a profit. If the cost of data security is higher than the value of a breach then guess what is going to happen sooner or later...

    • If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority

      I see you're doing your part by not using dangerous apostrophes where they are needed!

      Implicit in any company's statement that security is their top priority is the large bundle of compromises that don't go away whether or not that is your top priority. They could make the data perfectly secure by disconnecting the servers and putting them in a bank vault. They could make sure the data can't be breached by simply destroying all of it. See?

      Security can be your Top Priority, but it has to be done in th

  • it probably came from within the pharmaceutical industry, or they paid to have it done, medical marijuana is taking income away from the pharmaceutical industry. eventually the pharmaceutical industry will have to accept marijuana as a legitamite product and should consider making remedies with the active ingredients of marijuana
  • Where's my encryption keys??
  • The Cloud! (Score:3, Insightful)

    by Anonymous Coward on Sunday January 15, 2017 @12:12PM (#53672201)

    A gigantic target for hackers with every clients info in one place.
    Great job.

  • " No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption."

    Oh sure, I totally believe this 100%.

    Like they would even know for sure if it had been extracted.

    • Well for the most part, the security of encrypted data is The_perceived_value / Cost_of_decryption. Cost_of_decryption would be high if your trying to brute-force the database encryption, not so much if you have a key-logger installed on a POS and force everybody to change password to access their cloud data and a copy of the software used.

  • Let me get this straight. These people are trusting their personal data to a company that literally is based around sales and use of a drug known and acknowledged to impair judgement and productivity? Awesome plan. I'm sure they were moving heaven and earth to secure their data... That's about as smart as hiring an alcoholic to be your limo driver. You might get there in one piece but I wouldn't count on it.

    • No, the company that literally is based around sales and use of a drug known and acknowledged to impair judgement, is trusting their data to a cloud based storage and software company who's product is an ERP software specifically tailored for the marijuana industry. They, by law have to track inventory from seed to retail sale, this data was destroyed. Apparently there were offline or off-site backups that are being used to restore the service.

      Ward continued. “What will take time is reconstructing his

    • Nope. It's more like hiring a liquor store clerk to be your limo driver.

  • by flacco ( 324089 ) on Sunday January 15, 2017 @01:29PM (#53672587)

    > medical
    > cloud-based

    OK.

  • Am I the only one giggling at this point or is just because I'm stoned?
  • Imagine a news story like this:

    Vandals destroy very valuable property

    The law of firm of Dewy Chetham and Howe reported yesterday that vandals destroyed very valuable property. Spokesperson of the firm Insanei Rony said, :The firm keeps all their files in unlocked cabinets in the back porch open to the public, in order to serve our clients better. This allows our clients to work at their schedule and come in drop off their forms and depositions at their convenience. On Friday evening a group of vandals,

    • by Cederic ( 9623 )

      Why would I imagine a news story like that? It has no fucking relevance at all.

      Shit, why am I replying to an obvious troll. I must be tired. Goodnight.

  • Ripping off stoners since 1964.

  • My guess is that the hack was a US government agency.

    Unless, of course, it was the RUSSIANS again! They may be looking to sell pot to Americans to make us all easier targets for take-over!!!!

    Naaa. It was the US gov looking to make trouble where laws get in their way.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...