Print this page

EagleSoft Pushes FBI to Arrest Security Researcher that found patient data on open FTP

Rate this item
(1 Vote)

Reading time is around minutes.

We have written numerous articles on how bad corporate mentality is shaping security and risking your data, but we have one more to share with you today. We can also guarantee that this will not be the last one we write about. According to news reports the company EagleSoft has responded to a security researcher (part time) by asking the FBI to treat him like a criminal, instead of just fixing the issue as reported. The researcher’s name is Justin Shafer and his crime was reporting unencrypted patient data left on an open FTP server by EagleSoft. The FTP server did not require a logon to access the data, but EagleSoft, in order to protect themselves are trying to play this off as a criminal act.

As we have stated time and time again, the corporate world does not care about your data. Instead they are much more concerned with saving face and preventing anyone from finding out about how awful they are at security. This type of behavior is very common when it comes to security research as companies try to shore up their own reputations before they do anything about the problems in their applications. In Shafer’s case he found that the FTP server had probably been left open for years and he did not even disclose the issue until the server was secured.

EagleSoft, who has now gone very quiet, is claiming that Shafer violated the CFAA (Computer Fraud and Abuse Act) by accessing the server at all. It was based on this that they phoned the FBI and demanded that Shafer be arrested. The FBI complied and showed up at Shafer’s house with a whole gang in tow to execute the arrest of this, obviously (sarcasm), criminal. Shafer probably has an option for legal action against EagleSoft at least and, depending on the details of the “investigation” by the FBI, one for wrongful arrest.

It is nice to know that the FBI is able to jump so quickly at the information given to them by a corporate entity like this without much of an investigation. It seems eerily similar to how ICE handles take down requests over copyright. A company (or legal group) just has to call up and make the claim to get a domain confiscated. Of course we have watched the FBI botch the MegaUpload case for years as they illegally took evidence out of the country, pushed for warrants that were not legal in NZ, and much more. They are much less of a law enforcement organization these days than they are copyright enforcement and bullies for corporate interests.

We will keep an eye on this one very closely as it could create precedent for security researchers moving forward.

Sterling McKeand

Latest from Sterling McKeand

Related items