Medical Software Database Composed of 3.1 Million Patients Personal Information Disclosed Online

A database that comprises the personal information of about 3.1 million patients was exposed on the web and was later erased by the Meow bot.

Security researcher Volodymyr ‘Bob’ Diachenko identified the unsecured database on July 13, 2020. Password was not required to gain access to the database containing the patients’ names, phone numbers, email addresses, and location of treatment. Diachenko tried to find out who owns the database and knew that it was created by Adit, a medical software business. Adit offers to medical and dental practices its online booking and patient management software. Diachenko sent a message to Adit to notify it concerning the unsecured database but received no response. A few days later, Diachenko found out that the Meow bot erased the data.

In late July, the Meow bot appeared scanning the world-wide-web for unsecured databases. Security researchers including Diachenko explore the net to look for exposed data and then lets the data owners know about the unsecured information. But the Meow bot’s operation involves searching and destroying data. After locating the exposed database, the Meow bot overwrites it with non-specific numbers and adds the word “meow.”

Whoever is behind the Meow bot is unknown. The intention of the attacks is also unknown. Many threat actors find exposed databases on the web with the intention to steal or encrypt files, afterward, they extort ransom from the data owners. But the Meow bot finds and attacks exposed databases without any apparent financial reason.

There’s no certainty if the Meow bot steals information before being overwritten, but, some security researchers have stated that the goal is not data theft, but to keep cybercriminals from getting the data of individuals and/or inform data holders of their failure to secure the data or it will result in data destruction.

By erasing the database, cybercriminals won’t get the information. Nevertheless, a previous study done by Comparitech showed that malicious actors continue to scan for unsecured information and normally identify unsecured Amazon S3 buckets and Elasticsearch databases within several hours after exposure. Since the information was exposed for around 10 days before the Meow bot searched and destroyed it, several parties likely identified and acquired the information prior to deletion.

In this breach incident, there’s limited personal data exposed, but cybercriminals may still have accessed that data and used it for phishing campaigns.