There's something that's been bugging me all day.
On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government's website was leaking thousands of applications from its medical marijuana dispensary program.
Shafer found the leaky web portal by using Google to search government websites for words like "social security," which anyone can do with relative ease. He found one listed web address, ending in a number, which pointed to a PDF file purporting to be a medical marijuana dispensary application. Altering the number in the web address let anyone view different applications.
The first reports came in.
Around the time we published, the site had been taken down to "limit the vulnerability," according to spokesperson Martha Framsted.
Framsted said in a phone call Wednesday that it was "aware of the leak" from the security researcher via multiple reporters, including those from CSO Online and The Daily Dot, and would release a statement later in the day.
In our brief conversation, Framsted said that the state's IT staff had pulled the website offline in order to prevent the data from leaking further. There wasn't a hint of accusation -- clearly, this was a system that wasn't working properly.
Then, headlines began to turn from "leak" and "exposed", to "hacked" and "breached" later in the day.
What happened? Nevada's official statement reversed its rhetoric entirely and began blaming the leak on a "cyberattack." The statement said that industry employee information had been "stolen," adding that the incident had been "referred to law enforcement agencies for further investigation."
On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government's website was leaking thousands of applications from its medical marijuana dispensary program.
Shafer found the leaky web portal by using Google to search government websites for words like "social security," which anyone can do with relative ease. He found one listed web address, ending in a number, which pointed to a PDF file purporting to be a medical marijuana dispensary application. Altering the number in the web address let anyone view different applications.
The first reports came in.
- CSO Online: "Agent applications for Nevada's medical marijuana program exposed"
- The Daily Dot: "Medical marijuana portal exposes thousands of Social Security numbers"
- ZDNet: "Nevada leaks thousands of medical marijuana dispensary applications"
Around the time we published, the site had been taken down to "limit the vulnerability," according to spokesperson Martha Framsted.
Framsted said in a phone call Wednesday that it was "aware of the leak" from the security researcher via multiple reporters, including those from CSO Online and The Daily Dot, and would release a statement later in the day.
In our brief conversation, Framsted said that the state's IT staff had pulled the website offline in order to prevent the data from leaking further. There wasn't a hint of accusation -- clearly, this was a system that wasn't working properly.
Then, headlines began to turn from "leak" and "exposed", to "hacked" and "breached" later in the day.
What happened? Nevada's official statement reversed its rhetoric entirely and began blaming the leak on a "cyberattack." The statement said that industry employee information had been "stolen," adding that the incident had been "referred to law enforcement agencies for further investigation."
No comments:
Post a Comment