Hacker Extracts Data on Purveyors of Controlled Substances

Akorn Inc., a niche pharmaceutical company, had a customer database compromised by an attacker who now is offering to sell the records to the highest bidder.

The auction is being hosted by a hacker self-dubbed Mufasa, who is known for exploiting software bugs, or “SQL injection” flaws, to target vulnerable companies.

The database held business information such as DEA numbers assigned to healthcare providers that help track controlled substances.

The medical industry uses them as a unique identifier for those who can prescribe narcotics, such as oxycodone, meperidine, or fentanyl, among others.

Mufasa tells CSO that the system was penetrated through a SQL injection on Akorn’s website.

"Every PHP file on their website was vulnerable to [SQL Injection]," Mufasa said, "they had no security whatsoever." The data also was not encrypted.

Akorn said in a statement: "Although much of the information acquired is publicly available, we are in the process of notifying our valued customers about this incident.”

Screenshots of the records show all fields in clear text, including passwords.

When asked if there are offers on the table, Mufasa said there are some takers, but expressed some hesitation about selling the records.

If Akorn wants to buy back the data, the price is $5,000.

Commenting on why the data was taken in the first place, Mufasa said the goal was to teach Akorn a lesson in security and to encourage the company to use encryption.