FBI agents, one armed with an assault weapon, reportedly raided the home of a security professional who discovered sensitive data for 22,000 dental patients was available on the Internet, according to a report published Friday.
Justin Shafer, who is described as a dental computer technician and software security researcher, reportedly said the raid happened on Tuesday at 6:30am as he, his wife, and three young children were sleeping. He said it started when his doorbell rang incessantly and someone banged hard on his door. According to Friday’s report:
“My first thought was that my dad had died,” Shafer told Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”
With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told Daily Dot, “and the baby’s crib was only feet from the door.
The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.
Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.
Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to Daily Dot, shows that federal agents took 29 items.
Enter Eaglesoft
A FBI agent told Shafer the raid stemmed from an incident in February, when Shafer discovered a file transfer protocol server operated by Eaglesoft, a provider of dental practice management software. The FTP server reportedly stored patient data in a way that made it easily accessible to anyone. Shafer contacted DataBreaches.net and asked for help privately notifying the software maker, and once the patient data was secured, the breach notification site published this disclosure. In a blog post of his own, Shafer later discussed the FTP lapse and a separate Eaglesoft vulnerability involving hard-coded database credentials.
The FBI agent reportedly told Shafer that Patterson Dental, a parent company of Eaglesoft, was claiming Shafer had exceeded authorized access when viewing the publicly available data.
Friday’s report continued:
To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.
Shafer is now left wondering, is this an attempt to silence or discredit him? This would not be the first time a company seemingly attempted to chill Shafer’s speech about their security issues. And he would certainly not be the first researcher accused of criminal hacking.
It’s not clear if Shafer used any of the hard-coded credentials to access patient data, something that would likely be a technical violation of the Computer Fraud and Abuse Act. Even if he did, an early morning raid by armed agents on a sleeping family is a highly disproportionate response and a flouting of the type of discretion federal prosecutors claim they apply when pursuing CFAA violations.