A dental technician and part-time software security researcher Justin Shafer spotted some exposed, unencrypted patient information on an open FTP server of Eaglesoft, a dental practice management software. No hack was involved and Shafer got on the blower to warn
Eaglesoft so it could fix the problem and avoid having its customers’ data exposed.
Eaglesoft responded, not by publically thanking Shafer or by sending him a nice card, but by calling the FBI and demanding he was charged as Criminal hacker.
Shafer and his wife were sound asleep at 6:30am local time on Tuesday morning when the doorbell started ringing incessantly, and the family heard a loud banging on their door from heavily armed coppers.
Shafer opened the door to find 12 to 15 FBI agents and found himself looking down the barrel of a big green assault weapon.
Shafer was handcuffed still in his boxer shorts while agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “
Shafer has form for exposing pants security. He found that Dentrix software, produced by Henry Schein Dental, was misleading customers when it claimed to provide “encryption.” He exposed that vulnerability and filed an FTC complaint that recently resulted in Henry Schein signing a consent order to settle Federal Trade Commission charges.
Eaglesoft was claiming Shafer had “exceeded authorised access” in accessing its FTP server, which is illegal under the CFAA. It is now refusing to talk to anyone.
Once Shafer determined that the patient data had been secured he and DataBreaches.net disclosed the incident publicly. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years.