The state of Virginia has recently came under the international spotlight after it apparently became under attack by an anonymous hacker who claims to have stolen around 35 million prescription records of those residing in the state.

This supposed vulnerability has still not been identified, and state information security professionals are still dumbfounded as to whether or not this ‘hacker’ is the genuine article. Other than a ransom demand for over $10 million dollars, they have received little in the way of evidence other than the claims that the hacker has managed to delete certain files and create an encrypted backup.
Whilst the state remains uncertain as to the hackers’ authenticity, the fact remains that they are neither confirming nor denying the threat. Perhaps this is the biggest point of confusion as at this point any organization with appropriate security measures in place would be able to at least partially refute the claims.

So far, the only evidence that this ‘hacker’ may be a fake is because they claim to have social security numbers. The state of Virginia has made an announcement that states that the information they held had no such information, and that the hacker ‘may’ be a fraud.

Whilst we allude to the fact that this may be a fraudulent attempt to extort money, the state of Virginia cannot be certain. In this age of cyber-privacy and information security, the state of Virginia should be more accountable for the information they are holding. What is concerning is their incompetence in dealing with this threat and the clear fact that their security policies are inadequate to be able to ‘check’ the records and ensure that data is secure.

It is ironic that the hacker in this example apparently used encryption against the state. If the state happened to be using encryption against the hacker then perhaps this would never have happened.