Today, ethical security researcher Bob Diachenko published a write-up on his discovery of medical software company Adit‘s insecure database containing more than 3.1M patients’ information. In his write-up, Diachenko notes how he discovered the exposed database on July 13 and proceeded to disclose the issue to the company, but did not receive a response. As a result, the data was destroyed and potentially stolen over a week later by a malicious bot.

The breach of over 3 million individual records is a large deal that has major consequences for the people who likely do not know their personal information was jeopardized.
An unsecured database that does not require a password or other authentication to access it is likely more common than we are lead to believe. All of people involved in this breach could have repercussions to their personal life and more attacks from those who accessed the information.
Adit should be making their clients aware so they can inform the patients involved. A lack of response so far from being notified of a potential breach is very concerning.
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database.
This highlights the overall failure of both public and private sector organizations to cooperate with ethical security researchers. Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place. This is because humans are prone to error and, when developers feel rushed to bring a new product or innovation to market, they will make mistakes along the way.
Historically, NoSQL databases like Elasticsearch and MongoDB have been subject to bulk erasure and ransoming. That being said, exposed Elasticsearch instances on the internet will be found, and organizations with VDPs in place will have a greater chance of closing these up before they can be exploited by adversaries.
With a VDP, organizations will be able to be proactively alerted of vulnerabilities by ethical researchers before they can be exploited in the wild. Speed is the natural enemy of security, and the best way to remain secure and beat attackers is by thinking like one – even organizations with in-house security teams can benefit from having outside help. In this instance, having a VDP would have allowed Adit to secure their database before it could have been deleted and the data possibly stolen.