undefined
This has always been one of my nightmares, and it came true:
A New Zealand medication charting platform used by numerous providers was hacked. But not only was it hacked, but the attackers also changed some patients' names to "Charlie Kirk," and changed other patients' records to "deceased."
There has been no report of any extortion attempt.
#MediMap started investigating on Sunday afternoon when problems were first reported.
I may have to add Moldova to my list of countries I may not be able to visit. I just posted a two-fer involving two of their government portals:
https://databreaches.net/2026/02/19/data-protection-failures-on-moldovan-portals-exposed-citizens-to-risk/ is about a long-time IDOR incident that exposed the personal info of everyone who ever used the govt portal to apply for a job. The vulnerability was brought to my attention by a student who was frustrated with his government's lack of response to his attempts to get them to address it.
and
https://databreaches.net/2026/02/19/leaked-data-raises-questions-about-hackers-claims-and-moldovas-prior-denial/ discusses an alleged hack by Bashe Team of another portal used by Moldovan residents to apply for energy compensation.
In May 2025, the government had denied claims that access to the compensation portal had been sold. "No evidence.... smoke and mirrors... " they claimed.
Fast forward to January 2026, and data from that portal and timeframe was leaked after Bashe Team claimed to have hacked it. But while the data appear to be real, Bashe Team's claims about how and when they acquired it didn't check out.
Bashe Team seems to be allergic to telling the truth about their listings. @cloudsek noted their less-than-honest claims in 2025; DataBreaches.net notes it now, and @amvinfe has also noted it in his new reporting on #SuspectFile.
#databreach #leak #vulnerability #cariere #compensatii #govsec #cybersecurity #Bashe #APT73 #Eraleign
Some folks may recall my anger on August 18 over a vendor who wasn't responding to alerts about exposing their clients' data. The data included court files or records that were confidential or even sealed. At the time, researchers had discovered two entities that were exposed. They subsequently discovered more.
Yesterday, the vendor -- who had even ignored a call from the FBI -- finally secured one of the two after the client finally reached them on the phone.
The vendor told them they had fixed the problem. But did they?
[SPOILER ALERT: No.]
You won't believe what happened next, or maybe you will, but you'll have to stay tuned for this story, which has now gotten astronomically bigger because not only were the data still not secured but the vendor -- after claiming that the researchers had used hacking techniques to access unsecured data -- inexplicably sent the client a list of ALL of vendor's clients with their technical details AND ALL OF THEIR LOGIN CREDENTIALS.
[WTF!?]
I have never been as tempted to issue an actual press release warning all entities about a specific vendor, but... wow.
Stay tuned. Eventually, I will write this all up, but first, I want to hear what the client's lawyers and insurers decide to do to hold the vendor accountable.
(August 18 post: https://infosec.exchange/deck/@PogoWasRight/115033245331860859)
#databreach #dataleak #incidentresponse #incidentmanagement #thirdparty #vendor #accountability