This week, there were two more serious data leaks. The first was that the Bangladesh government website leaked the data of as many as 50 million citizens, which accounted for about one-third of the total population of Bangladesh. Then HCA Healthcare, an American medical services company, was hacked, resulting in about 11 million patients being affected by the data breach.
On July 12, according to foreign media news reports, the website of Bangladesh Birth and Death Registration Office (BDRIS) leaked the personal information of 50 million citizens, including names, mobile phone numbers, emails and ID numbers. The cybersecurity reputation has taken a serious hit.
On June 27, Viktor Markopoulos, a researcher at Bitcrack Cyber Security, discovered the leak by accident and tried several times to contact the Bangladesh e-government Computer Incident Response Team (CIRT), but received no response for more than a week .
Markopoulos has no way of determining whether the data has been compromised or used, and anyone, like him, could have found it. Markopoulos scoured some darknet forums to see if there were any relevant leaks for sale, but found nothing.
According to Markopoulos, finding the data is easy because it appears as a Google search result. All he did was follow the vulnerable API tell instructions - it showed an error that the word register in the URL should be a number not a word, so he just changed register to 123456789 and a random one's birth popped up application, which contains all relevant data.
TechCrunch said it used 10 different sets of data on public search tools on government websites and was able to verify them. The site returned other data contained in the leaked database, such as the names of people who applied to register and, in some cases, their parents.
On July 12, HCA Healthcare, a U.S. medical services company, revealed that it had suffered a major data breach, affecting approximately 11 million patients.
The company discovered the security breach on July 5 on an underground forum, with a threat actor claiming to have carried out the hack. As evidence of the hack, the threat actors posted some of the patient's stolen information, including: patient name, city, state, and zip code; patient email, phone number, date of birth, and gender; and patient service date, location, and next Appointment date. The information was stolen from an external storage location designed to automatically format emails.
HCA Healthcare emphasized that no clinical information, such as treatments, diagnoses, or conditions; payment information, such as credit card or account numbers; or sensitive information, such as passwords, driver's licenses, or Social Security numbers, was posted on the forum. In addition, HCA's day-to-day operations will not be disrupted.
HCA Healthcare, which has 180 hospitals and more than 2,300 sites in 20 US states and the UK, said any patient receiving services at a US Healthcare-affiliated hospital or doctor's office could have been affected by the data breach.
HCA Healthcare said it has reported the incident to law enforcement and is investigating what happened with the help of a third-party forensic and threat intelligence consultant. No evidence of any malicious activity on HCA Healthcare's network or systems related to this incident has been found.