Sprint customers say a glitch exposed other people’s account information

Several Sprint customers have said they are seeing other customers’ personal information in their online accounts.

One reader emailed TechCrunch with several screenshots describing the issue, warning that they could see other Sprint customers’ names and phone numbers. The reader said they informed the phone giant of the issue, and a Sprint representative said they had “several calls pertaining to the same issue.”

In all, the reader saw 22 numbers in a two-hour period, they said.

Several other customers complained of the same data exposing bug. It’s unclear how widespread the issue is or for how long the account information leak persisted.

Another customer told TechCrunch how the Sprint account pages were initially throwing errors. The customer said they scrolled down their account page and saw several numbers that were not theirs. “I was able to click each one individually and see every phone call they made, the text messages they used, and the standard info, including caller ID name they have set,” the customer told TechCrunch.

Of the customers we’ve spoken to, some are pre-paid and others are contract.

We’ve reached out to Sprint for more but did not hear back. We’ll update when more comes in.

A huge trove of medical records and prescriptions found exposed

A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password.

The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies.

But that fax server wasn’t properly secured, according to the security company that discovered the data.

SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018.

Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

According to a brief review of the data, the faxes contained a host of personally identifiable information and health information, including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data.

The faxes also included personal data and health information on children. None of the data was encrypted.

Two leaked documents found on the fax server, redacted. (Image: TechCrunch)

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel. MedPharm was spun out as a separate company in San Juan to take advantage of tax breaks for those who set up businesses on the island.

TechCrunch verified the records by contacting several patients who confirmed their details from the faxes.

When reached about the security lapse, Patel said the company was “looking into the issue to identify the problem and solution,” but deferred comment to the company’s general counsel, Angel Marrero.

“We are still reviewing our logs and records to access the scope of any potential exposure,” said Marrero in an email.

We asked if the company planned to inform regulators and customers. Marrero said the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”

It’s not immediately known if anyone else discovered the exposed server, or how long the data was exposed.

Both Meditab and MedPharm claim to be compliant with HIPAA, the Health Insurance Portability and Accountability Act, which governs how healthcare providers properly manage patient data security.

Companies that expose data or violate the law can face hefty fines.

Last year was a year of “record” fines — some $25 million for several exposures and breaches, including $4.3 million in fines to the University of Texas for an inadvertent disclosure of encrypted personal health data, and a settlement by Fresenius was for $3.5 million following five separate breaches.

A spokesperson for the U.S. Department of Health and Human Services did not comment.

Facebook failed to block 20% of uploaded New Zealand shooter videos

Facebook said it removed 1.5 million videos from its site within the first 24 hours after a shooter livestreamed his attack on two New Zealand mosques, killing 50 people.

In a series of tweets, Facebook’s Mia Garlick said a total of 1.2 million videos were blocked at the point of upload. Videos that included “praise or support” from the attack were also removed, she said, using a mix of automated technologies — like audio detection — and human content moderators.

Facebook did not say why the 300,000 videos were not caught at upload, representing a 20 percent failure rate.

The cherry-picked “vanity” statistics only account for the total number of uploaded videos that Facebook knows about. TechCrunch found several videos posted to Facebook more than 12 hours after the attack. Some are calling on Facebook to release the engagement figures — such as how many views, shares and reactions — were made before the videos were taken down, which critics say is a more accurate measure of how far the videos spread.

The attack on Friday targeted worshippers during morning prayers in Christchurch, New Zealand. Police said they apprehended the shooter about half an hour after reports of the first attack came in.

The 28-year old suspected shooter, charged with murder, livestreamed the video to Facebook using a head-mounted camera, typically used to record sporting events in first-person. Facebook closed the attacker’s account within an hour of the attack, but the video had already been shared across Facebook, Twitter and YouTube. The shooter described himself as a self-professed fascist, according to a “manifesto” he posted shortly before the attacks. The tech companies have faced criticism for not responding to the emerging threat of violence associated with white nationalism, compared to actions taken against content in support of the so-called Islamic State group and the spread of child abuse imagery,

New Zealand prime minister Jacinda Ardern said on Sunday that social media giants like Facebook had to face “further questions” about their response to the event. Facebook second-in-command Sheryl Sandberg reportedly reached out to Ardern following the attacks.

When reached, Facebook did not comment beyond Garlick’s tweeted comments.

Beto O’Rourke could be the first hacker president

Democratic presidential candidate Beto O’Rourke has revealed he was a member of a notorious decades-old hacking group.

The former congressman was a member of the Texas-based hacker group, the Cult of the Dead Cow, known for inspiring early hacktivism in the internet age and building exploits and hacks for Microsoft Windows. The group used the internet as a platform in the 1990s to protest real-world events, often to promote human rights and denouncing censorship. Among its many releases, the Cult of the Dead Cow was best known for its Back Orifice program, a remote access and administration tool.

O’Rourke went by the handle “Psychedelic Warlord,” as revealed by Reuters, which broke the story.

But as he climbed the political ranks, first elected to the El Paso city council in 2005, he reportedly grew concerned that his membership with the group would harm his political aspirations. The group’s members kept O’Rourke’s secret safe until the ex-hacker confirmed to Reuters his association with the group.

Reuters described him as the “most prominent ex-hacker in American political history,” who on Thursday announced his candidacy for president of the United States.

If he wins the White House, he would become the first hacker president.

O’Rourke’s history sheds light on how the candidate approaches and understands the technological issues that face the U.S. today. He’s one of the few presidential candidates to run for the White House with more than a modicum of tech knowledge — and the crucial awareness of the good and the problems tech can bring at a policy level.

“I understand the democratizing power of the internet, and how transformative it was for me personally, and how it leveraged the extraordinary intelligence of these people all over the country who were sharing ideas and techniques,” O’Rourke told Reuters.

The 46-year-old has yet to address supporters about the new revelations.

Gearbest security lapse exposed millions of shopping orders

Gearbest, a Chinese online shopping giant, has exposed millions of user profiles and shopping orders, security researchers have found.

Security researcher Noam Rotem found an Elasticsearch server leaking millions of records each week, including customer data, orders, and payment records. The server wasn’t protected with a password, allowing anyone to search the data.

Gearbest ranks as one of the top 250 global websites, and serves top brands, including Asus, Huawei, Intel, and Lenovo.

TechCrunch contacted GearBest — and through its dedicated security page — to secure the database. The company neither secured the data nor responded to our request for comment.

Rotem, who shared his findings with TechCrunch and published his report at VPNMentor, said names, addresses, phone numbers, email addresses and customer orders and products purchased were among the data exposed. The database also had payment and invoice information, with amount spent and semi-masked names and email addresses.

After reviewing a portion of the data, TechCrunch found the database revealed exactly what customers bought, when, and where the items were sent.

Some of the member-specific records also included passport numbers and other national ID data. Rotem said there was little evidence of encryption, and in some cases none at all.

“The content of some people’s orders has proven very revealing,” Rotem said. Not only are the exposed orders a breach of customer privacy, the exposed data could put customers in parts of the world where freedom of speech and expression is limited in danger. Some of the listings for sex toys and other intimate purchases, for example, could lead to legal repercussions where LGBTQ+ relationships or pre-marital sex are banned.

Countries like the United Arab Emirates and Pakistan have some of the strictest laws, which can lead to punishment by death.

Rotem also found a separate exposed web-based database management system on the same IP address, allowing anyone to manipulate or disrupt the databases run by Gearbest’s parent company, Globalegrow,

It’s not known exactly for how long the server was exposed. Data from internet scanning site Binary Edge showed the database was first detected on March 7.

Shenzhen-based Gearbest has a large presence in Europe, with warehouses in Spain, Poland, and Czech Republic, and the U.K., where EU data protection and privacy laws apply. Any company violating the General Data Protection Regulation (GDPR) can be fined up to four percent of its global revenue.

This is the second security issue at Gearbest in as many years. In December 2017, the company confirmed accounts had been breached after what was described as a credential stuffing attack.

Facebook won’t store data in countries with human rights violations — except Singapore

As soon as Mark Zuckerberg said in a lengthy 3,225-word blog post to not build datacenters in countries with poor human rights, he had already broken his promise.

He chose to ignore Singapore, which the Facebook founder had only months earlier posted about, declaring the microstate home to the company’s first datacenter in Asia to “serve everyone.”

Zuckerberg was clear: “As we build our infrastructure around the world, we’ve chosen not to build data centers in countries that have a track record of violating human rights like privacy or freedom of expression.”

If there are two things Singapore is known for, it’s that there’s no privacy or freedom of expression.

For all its glitz and economic power, Singapore’s human rights record falls far below internationally recognized norms. The state, with a population of five million, consistently falls close to the bottom in worldwide rankings by rights groups for its oppressive laws against freedom of speech, expression and assembly and limited rights to privacy under its expanding surveillance system. Worse, the country is known for its horrendous treatment of those in the LGBTQ+ community, whose actions are heavily restricted and any public act or depiction is deemed criminal. And even the media are under close watch and often threatened with rebuke and defamation lawsuits by the government.

Reporters Without Borders said Singapore has an “intolerant government,” and Human Rights Watch called some of the country’s more restrictive laws “draconian.”

We brought these points up Facebook, but the company doesn’t see Zuckerberg’s remarks as contradictory or hypocritical.

“Deciding where to locate a new data center is a multi-year process that considers dozens of different factors, including access to renewable energy, connectivity, and a strong local talent pool,” said Facebook spokesperson Jennifer Hakes. “An essential factor, however, is ensuring that we can protect any user data stored in the facility.”

“This was the key point that Mark Zuckerberg emphasized in his post last week,” said Hakes. “We looked at all these factors carefully in Singapore and determined that it was the right location for our first data center in Asia.”

Ironic, that Facebook’s own platform has been a target for Singapore’s government to crack down on vocal opponents of the state. Jolovan Wham, an activist, was jailed after organizing a public assembly from a Facebook page. The assembly’s permit was denied, so he switched the venue to a Skype call.

When asked, Facebook declined to comment on what it considers unacceptable human rights by a country, only referring back to Zuckerberg’s post.

Singapore remains be an important hub for the tech industry and business — particularly for Western companies, who have thrown human rights to the wind even as they tout their commitment to privacy and free speech at home. Amazon, Microsoft, Google, DigitalOcean, Linode, and OVH all have datacenters in the micro-state.

But only one to date have made public commitments to not store data in countries with poor records on human rights.

Why has Facebook made an exception for Singapore? It’s a mystery to everyone but Mark Zuckerberg

ICE has a huge license plate database targeting immigrants, documents reveal

Newly released documents reveal Immigration and Customs Enforcement is tracking and targeting immigrants through a massive license plate reader database supplied with data from local police departments — in some cases violating sanctuary laws.

The documents, obtained by a Freedom of Information lawsuit filed by the American Civil Liberties Union and released Tuesday, reveal the vehicle surveillance system collects more than a hundred million license plates a month from some of the largest cities in the U.S., including New York and Los Angeles, both of which are covered under laws limiting police cooperation with immigration agencies.

More than 9,000 ICE agents have access to the database, run by Vigilant Solutions, feeding some six billion vehicle detection records into Thomson Reuters’ investigative platform LEARN, to which police departments can buy access.

“The public has a right to know when a government agency — especially an immoral and rogue agency such as ICE — is exploiting a mass surveillance database that is a threat to the privacy and safety of drivers across the United States,” said Vasudha Talla, staff attorney with the ACLU of Northern California, in an email to TechCrunch.

Talla, who sued ICE to release the documents, said the government “should not have unfettered access to information that reveals where we live, where we work, and our private habits.” Critics have noted several high-profile cases of police misusing and improperly accessing license plate data.

Automatic license plate readers (ALPR) scan and detect license plates, along with the time, date and location from thousands of cameras installed across the country to spot criminals and fugitives with warrants out for their arrest. The ACLU previously called it one of the new and emerging forms of mass surveillance in the United States. Companies like Vigilant feed data collected from ALPR cameras into databases accessible to law enforcement and federal agencies, which the ACLU accused ICE of using to find and deport immigrants.

ICE has a “hot list” of more than 1,100 license plates of suspects, felons or other subjects of interest, according to the documents released. Plates on the hot list trigger an alert to ICE that the vehicle has been spotted, including where and when.

“Hot lists are just one method by which ICE agents can track drivers with this system,” said Talla.

A spokesperson for ICE did not comment by our deadline on how many hot list detections led to deportations or removals from the U.S. Spokespeople for Thomson Reuters and Vigilant Solutions also did not comment.

It’s the third effort by ICE to secure access to the database in the past five years, after earlier attempts in 2014 over privacy concerns and 2015 over price negotiations failed. The agency rushed to secure the contract before a planned hike in cost by Thomson Reuters toward the end of 2017.

ICE spent $6.1 million on its latest contract in February 2018, gaining access to 80 law enforcement agencies covering almost two-thirds of the U.S. population. To allay fears of potential misuse, the agency was required to pass a revised privacy impact assessment explaining how ICE can and cannot use the license plate data. In one released email to an NPR reporter, ICE said agents “can only access data” uploaded by police departments if they elect to share it through the system.

But the ACLU found emails of ICE agents directly contacting local law enforcement officers to ask for license plate search data, circumventing the database.

Correspondence between ICE and a local police detective asking for license plate data outside of the ALPR database (Image: ACLU/supplied)

Over a years-long effort, one ICE agent — whose name was redacted by the government — sent several requests to a La Habra police detective by email asking for license plate data.

La Habra is one of 169 police departments in California, and is one of dozens of departments known to use ALPR. But the city’s police department is not on Vigilant’s list of law enforcement partners that supply license plate data to ICE, the documents show.

We asked La Habra Chief of Police Jerry Price if turning over records to ICE was in violation of California’s sanctuary status, but he would not comment.

“By going to local police informally, ICE is able to access locally collected driver location data without having to ask for formal access to the local system through the LEARN network, which could trigger local oversight or concern,” said Talla.

A list of local U.S. police departments contributing license plate data to the database, to which ICE has access (Image: ACLU/supplied)

Other police departments were named as partners that actively feed data into the ICE-accessible database, like Upland, Merced and Union City — three cities in California, which in 2018 passed state-wide laws that offer sanctuary to immigrants who might be in the country illegally or otherwise subject to deportation by ICE. The laws prohibit law enforcement in the state from sharing of license plate data with federal agencies, said Talla.

When reached, Union City Police Department chief Victor Derting did not comment. Spokespeople for Upland and Merced police departments did not respond to a request for comment.

The ACLU called on the immediate end to the license plate information sharing.

The documents also revealed how ICE initially considered trying to keep the database a secret, arguing that disclosing the capability would “almost immediately diminish its effectiveness as a law enforcement tool.”

Amid a controversial and questionable national emergency declared by the Trump administration, ICE remains a divisive agency more than ever. Last year, 19 of the top ICE investigators that investigate serious criminal cases, like drug smuggling and sex trafficking rings, called on the government to distance their work from ICE’s enforcement and removal operations unit, which investigates immigration violations and handles deportations.

In January, TechCrunch revealed dozens of ALPR cameras are still exposed on the internet — many of which are accessible without a password.

Russia blocks encrypted email provider ProtonMail

Russia has told internet providers to enforce a block against encrypted email provider ProtonMail, the company’s chief has confirmed.

The block was ordered by the state Federal Security Service, formerly the KGB, according to a Russian-language blog, which obtained and published the order after the agency accused the company and several other email providers of facilitating bomb threats.

Several anonymous bomb threats were sent by email to police in late January, forcing several schools and government buildings to evacuate.

In all, 26 internet addresses were blocked by the order, including several servers used to scramble the final connection for users of Tor, an anonymity network popular for circumventing censorship. Internet providers were told to implement the block “immediately,” using a technique known as BGP blackholing, a way that tells internet routers to simply throw away internet traffic rather than routing it to its destination.

But the company says while the site still loads, users cannot send or receive email.

ProtonMail chief executive Andy Yen called the block “particularly sneaky,” in an email to TechCrunch.

“ProtonMail is not blocked in the normal way, it’s actually a bit more subtle,” said Yen. “They are blocking access to ProtonMail mail servers. So Mail.ru — and most other Russian mail servers — for example, is no longer able to deliver email to ProtonMail, but a Russian user has no problem getting to their inbox,” he said.

That’s because the two ProtonMail servers listed by the order are its back-end mail delivery servers, rather than the front-end website that runs on a different system.

The letter, translated, says that the listed internet addresses caused “the mass distribution of obviously false reports of a terrorist act” in January, resulting in “mass evacuations of schools, administrative buildings and shopping centers.” (Image: supplied)

“The wholesale blocking of ProtonMail in a way that hurts all Russian citizens who want greater online security seems like a poor approach,” said Yen. He said his service offers superior security and encryption to other mail providing rivals in the country.

“We have also implemented technical measures to ensure continued service for our users in Russia and we have been making good progress in this regard,” he explained. “If there is indeed a legitimate legal complaint, we encourage the Russian government to reconsider their position and solve problems by following established international law and legal procedures.”

Russia’s internet regulator Roskomnadzor did not return a request for comment.

Yen says the block coincided with protests against government efforts to restrict the internet, which critics have dubbed an internet “kill switch.” The Kremlin, known for its protracted efforts to crack down and stifle freedom of speech, claimed it was to protect the country’s infrastructure in the event of a cyberattack.

Some 15,000 residents protested in Moscow on Sunday, during which users started noticing problems with ProtonMail.

It’s the latest in ongoing tensions with tech companies in the wake of the Russian-backed disinformation efforts. Russia’s crackdown on the internet intensified in 2014 when it ratified a law ordering tech companies operating in the country to store Russian data within its borders. LinkedIn was one of the fist casualties of the law, leading to the site’s nationwide ban in 2016.

Last month, Facebook was told to comply with the law or face its own ban. Twitter, too, also faces a possible blackout.

Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can be easily discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts, and customer data were among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

  • Amadeus, the flight reservation system maker, which left a folder full of documents and application files associated with Singapore Airlines. Earlier this year, researcher found flaws that made it easy change reservations booked with Amadeus.
  • Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.
  • Television network Discovery had more than a dozen folders listed, including database dumps of millions of customers names and email addresses. The folders also contained some demographic information and developer project files, including casting contracts and notes and tax documents.
  • Edelman, the global public relations firm, had an entire project proposal for working with the New York City mass transit division, including detailed proposal plans and more than a dozen resumes of potential staff for the project — including their names, email addresses, and phone numbers.
  • Nutrition giant Herbalife left several folders exposed containing files and spreadsheets on about 100,000 customers, including their names, email addresses and phone numbers.
  • Opportunity International, a non-profit aimed at ending global poverty, exposed a list of donor names, addresses and amount given exposed in a massive spreadsheet.
  • Schneider Electric left dozens of customer orders accessible to anyone, including sludge works and pump stations for several towns and cities. Each folder had an installation “sequence of operation” document, which included both default passwords and in some cases “backdoor” access passwords in case of forgotten passwords
  • Pointcare, a medical insurance coverage management software company, had thousands of patient names and insurance information exposed. Some of the data included the last four-digits of Social Security numbers.
  • United Tissue Network, a whole-body donation non-profit, exposed a body donor information and personal information of donors in a vast spreadsheet, including the prices of body parts.

Not even Box was immune from the researchers’ findings.

Box, which initially had no comment when we reached out, had several publicly accessible folders. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

Box spokesperson Denis Ron said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

The cloud giant said it plans to reduce the unintended discovery of public files and folders.

Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.

Amadeus spokesperson Alba Redondo said the company decommissioned Box in October and blamed the exposure on an account that was “misconfigured in public mode” which has now been corrected and external access to it is now closed. “We continue to investigate this issue and confirm there has been no unauthorized access of our system,” said the spokesperson, without explanation. “There is no evidence that confidential information or any information containing personal data was impacted by this issue,” the spokesperson added. We’ve asked Amadeus how it concluded there was no improper access, and will update when we hear back.

Pointcare chief executive Everett Lebherz confirmed its leaking files had been “removed and Box settings adjusted.” Edelman’s global marketing chief Michael Bush said the company was “looking into this matter.”

Herbalife spokesperson Jennifer Butler said the company was “looking into it,” but we did not hear back after several follow-ups. (Butler declared her email “off the record,” which requires both parties agree to the terms in advance, but are printing the reply as we were given no opportunity to reject the terms.)

When reached, an Apple spokesperson did not comment by the time of publication.

Discovery, Opportunity International, Schneider Electric, and United Tissue Network did not return a request for comment.

Data “dumpster diving” is not a new hobby for the skilled, but it’s a necessary sub-industry to fix an emerging category of data breaches: leaking, public, and exposed data that shouldn’t be. It’s a growing space that we predicted would grow as more security researchers look to find and report data leaks.

This year alone, we’ve reported data leaks at Dow Jones, Rubrik, NASA, AIESEC, Uber, the State Bank of India, two massive batches of Indian Aadhaar numbers, a huge leak of mortgage and loan data, and several Chinese government surveillance systems.

And we’re still in the first quarter of the year. Adversis said it expects to find more exposed data down the line as it expands the wordlists it uses to scan for files. The company has open-sourced and published online.

Tufts expelled a student for grade hacking. She claims innocence

As she sat in the airport with a one-way ticket in her hand, Tiffany Filler wondered how she would pick up the pieces of her life, with tens of thousands of dollars in student debt and nothing to show for it.

A day earlier, she was expelled from Tufts University veterinary school. As a Canadian, her visa was no longer valid and she was told by the school to leave the U.S. “as soon as possible.” That night, her plane departed the U.S. for her native Toronto, leaving any prospect of her becoming a veterinarian behind.

Filler, 24, was accused of an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades.

The case Tufts presented seems compelling, if not entirely believable.

There’s just one problem: In almost every instance that the school accused Filler of hacking, she was elsewhere with proof of her whereabouts or an eyewitness account and without the laptop she’s accused of using. She has alibis: fellow students who testified to her whereabouts; photos with metadata putting her miles away at the time of the alleged hacks; and a sleep tracker that showed she was asleep during others.

Tufts is either right or it expelled an innocent student on shoddy evidence four months before she was set to graduate.

– – –

Guilty until proven innocent

Tiffany Filler always wanted to be a vet.

Ever since she was a teenager, she set her sights on her future career. With almost four years under her belt at Tufts, which is regarded as one of the best schools for veterinary medicine in North America, she could have written her ticket to any practice. Her friends hold her in high regard, telling me that she is honest and hardworking. She kept her head down, earning cumulative grade point averages of 3.9 for her masters and 3.5 for her doctorate.

For a time, she was even featured on the homepage of Tufts’ vet school. She was a model final-year student.

Tufts didn’t see it that way.

Filler was called into a meeting on the main campus on August 22 where the university told her of an investigation. She had “no idea” about the specifics of the hacking allegations, she told me on a phone call, until October 18 when she was pulled out of her shift, still in her bloodied medical scrubs, to face the accusations from the ethics and grievance committee.

For three hours, she faced eight senior academics, including one who is said to be a victim of her alleged hacks. The allegations read like a court docket, but Filler said she went in knowing nothing that she could use to defend herself.

Tufts said she stole a librarian’s password to assign a mysteriously created user account, “Scott Shaw,” with a higher level of system and network access. Filler allegedly used it to look up faculty accounts and reset passwords by swapping out the email address to one she’s accused of controlling, or in some cases obtaining passwords and bypassing the school’s two-factor authentication system by exploiting a loophole that simply didn’t require a second security check, which the school has since fixed.

Tufts accused Filler of using this extensive system access to systematically log in as “Scott Shaw” to obtain answers for tests, taking the tests under her own account, said to be traced from either her computer — based off a unique identifier, known as a MAC address — and the network she allegedly used, either the campus’s wireless network or her off-campus residence. When her grades went up, sometimes other students’ grades went down, the school said.

In other cases, she’s alleged to have broken into the accounts of several assessors in order to alter existing grades or post entirely new ones.

Tiffany Filler, left, with her mother in a 2017 photo at Tufts University.

The bulk of the evidence came from Tufts’ IT department, which said each incident was “well supported” from log files and database records. The evidence pointed to her computer over a period of several months, the department told the committee.

“I thought due process was going to be followed,” said Filler, in a call. “I thought it was innocent until proven guilty until I was told ‘you’re guilty unless you can prove it.'”

Like any private university, Tufts can discipline — even expel — a student for almost any reason.

“Universities can operate like shadow criminal justice systems — without any of the protections or powers of a criminal court,” said Samantha Harris, vice president of policy research at FIRE, a rights group for America’s colleges and universities. “They’re without any of the due process protections for someone accused of something serious, and without any of the powers like subpoenas that you’d need to gather all of the technical evidence.”

Students face an uphill battle in defense of any charges of wrongdoing. As was the case with Filler, many students aren’t given time to prepare for hearings, have no right to an attorney, and are not given any or all of the evidence. Some of the broader charges, such as professional misconduct or ethical violations, are even harder to fight. Grade hacking is one such example — and one of the most serious offenses in academia. Where students have been expelled, many have also faced prosecution and the prospect of serving time in prison on federal computer hacking charges.

Harris reviewed documents we provided outlining the university’s allegations and Filler’s appeal.

“It’s troubling when I read her appeal,” said Harris. “It looks as though [the school has] a lot of information in their sole possession that she might try to use to prove her innocent, and she wasn’t given access to that evidence.”

Access to the university’s evidence, she said, was “critical” to due process protections that students should be given, especially when facing suspension or expulsion.

A month later, the committee served a unanimous vote that Filler was the hacker and recommended her expulsion.

– – –

A RAT in the room

What few facts Filler and Tufts could agree on is that there almost certainly was a hacker. They just disagreed on who the hacker was.

Struggling for answers and convinced her MacBook Air — the source of the alleged hacks — was itself compromised, she paid for someone through freelance marketplace Fiverr to scan her computer. Within minutes, several malicious files were found, chief among which were two remote access trojans — or RATs — commonly used by jilted or jealous lovers to spy on their exes’ webcams and remotely control their computers over the internet. The scan found two: Coldroot and CrossRAT. The former is easily deployed, and the other is highly advanced malware, said to be linked to the Lebanese government.

Evidence of a RAT might suggest someone had remote control of her computer without her knowledge. But existence of both on the same machine, experts say, is unlikely if not entirely implausible.

Thomas Reed, director of Mac and Mobile at Malwarebytes, the same software used to scan Filler’s computer, confirmed the detections but said there was no conclusive evidence to show the malware was functional.

“The Coldroot infection was just the app and was missing the launch daemon that would have been key to keeping it running,” said Reed.

Even if it were functional, how could the hacker have framed her? Could Filler have paid someone to hack her grades? If she paid someone to hack her grades, why implicate her — and potentially the hacker — by using her computer? Filler said she was not cautious about her own cybersecurity — insofar that she pinned her password to a corkboard in her room. Could this have been a stitch-up? Was someone in her house trying to frame her?

The landlord told me a staff resident at Tufts veterinary school, who has since left the house, “has bad feelings” and “anger” toward Filler. The former housemate may have motive but no discernible means. We reached out to the former housemate for comment but did not hear back, and therefore are not naming the person.

Filler took her computer to an Apple Store, claiming the “mouse was acting on its own and the green light for the camera started turning on,” she said. The support staff backed up her files but wiped her computer, along with any evidence of malicious software beyond a handful of screenshots she took as part of the dossier of evidence she submitted in her appeal.

It didn’t convince the grievance committee of possible malicious interference.

“Feedback from [IT] indicated that these issues with her computer were in no way related to the alleged allegations,” said Angie Warner, the committee’s acting chair, in an email we’ve seen, recommending Filler’s expulsion. Citing an unnamed IT staffer, the department claimed with “high degree of certainty” that it was “highly unlikely” that the grade changes were “performed by malicious software or persons without detailed and extensive hacking ability.”

Unable to prove who was behind the remote access malware — or even if it was active — she turned back to fighting her defense.

– – –

‘Why wait?’

It took more than a month before Filler would get the specific times of the alleged hacks, revealing down to the second when each breach happened

Filler thought she could convince the committee that she wasn’t the hacker, but later learned that the timings “did not factor” into the deliberations of the grievance committee, wrote Tufts’ veterinary school dean Joyce Knoll in an email dated December 21.

But Filler said she could in all but a handful of cases provide evidence showing that she was not at her computer.

In one of the first allegations of hacking, Filler was in a packed lecture room, with her laptop open, surrounded by her fellow vet school colleagues both besides and behind her. We spoke to several students who knew Filler — none wanted to be named for fear of retribution from Tufts — who wrote letters to testify in Filler’s defense.

All of the students we spoke to said they were never approached by Tufts to confirm or scrutinize their accounts. Two other classmates who saw Filler’s computer screen during the lecture told me they saw nothing suspicious — only her email or the lecture slides.

Another time Filler is accused of hacking, she was on rounds with other doctors, residents and students to discuss patients in their care. One student said Filler was “with the entire rotation group and the residents, without any access to a computer” for two hours.

For another accusation, Filler was out for dinner in a neighboring town. “She did not have her laptop with her,” said one of the fellow student who was with Filler at dinner. The other students sent letters to Tufts in her defense. Tufts said on that occasion, her computer — eight miles away from the restaurant — was allegedly used to access another staff member’s login and tried to bypass the two-factor authentication, using an iPhone 5S, a model Filler doesn’t own. Filler has an iPhone 6. (We asked an IT systems administrator at another company about Duo audit logs: They said if a device not enrolled with Duo tried to enter a valid username and password but couldn’t get past the two-factor prompt, the administrator would only see the device’s software version and not see the device type. A Duo spokesperson confirmed that the system does not collect device names.)

Filler, who wears a Xiaomi fitness and sleep tracker, said the tracker’s records showed she was asleep in most, but not all of the times she’s accused of hacking. She allowed TechCrunch to access the data in her cloud-stored account, which confirmed her accounts.

The list of accusations included a flurry of activity from her computer at her residence, Tufts said took place between 1am and 2am on June 27, 2018 — during which her fitness tracker shows she was asleep — and from 5:30 p.m. and 6:30 p.m. on June 28, 2018.

But Filler was 70 miles away visiting the Mark Twain House in neighboring Hartford, Connecticut. She took two photos of her visit — one of her in the house, and another of her standing outside.

We asked Jake Williams, a former NSA hacker who founded cybersecurity and digital forensics firm Rendition Infosec, to examine the metadata embedded in the photos. The photos, taken from her iPhone, contained a matching date and time for the alleged hack, as well as a set of coordinates putting her at the Mark Twain House.

While photo metadata can be modified, Williams said the signs he expected to see for metadata modification weren’t there. “There is no evidence that these were modified,” he said.

Yet none of it was good enough to keep her enrolled at Tufts. In a letter on January 16 affirming her expulsion, Knoll rejected the evidence.

“Date stamps are easy to edit,” said Knoll. “In fact, the photos you shared with me clearly include an ‘edit’ button in the upper corner for this exact purpose,” she wrote, referring to the iPhone software’s native photo editing feature. “Why wait until after you’d been informed that you were going to be expelled to show me months’ old photos?” she said.

“My decision is final,” said her letter. Filler was expelled.

Filler’s final expulsion letter. (Image: supplied)

– – –

The little things

Filler is back home in Toronto. As her class is preparing to graduate without her in May, Tufts has already emailed her to begin reclaiming her loans.

News of Filler’s expulsion was not unexpected given the drawn-out length of the investigation, but many were stunned by the result, according to the students we spoke to. From the time of the initial investigation, many believed Filler would not escape the trap of “guilty until proven innocent.”

“I do not believe Tiffany received fair treatment,” said one student. “As a private institution, it seems like we have few protections [or] ways of recourse. If they could do this to Tiffany, they could do it to any of us.”

TechCrunch sent Tufts a list of 19 questions prior to publication — including if the university hired qualified forensics specialists to investigate, and if law enforcement was contacted and whether the school plans to press criminal charges for the alleged hacking.

“Due to student privacy concerns, we are not able to discuss disciplinary matters involving any current or former student of Cummings School of Veterinary Medicine at Tufts University,” said Tara Pettinato, a Tufts spokesperson. “We take seriously our responsibility to ensure our students’ privacy, to maintain the highest standards of academic integrity, and to adhere to our policies and processes, which are designed to be fair and equitable to all students.”

We asked if the university would answer our questions if Filler waived her right to privacy. The spokesperson said the school “is obligated to follow federal law and its own standards and practices relating to privacy,” and would not discuss disciplinary matters involving any current or former student.

The spokesperson declined to comment further.

But even the little things don’t add up.

Tufts never said how it obtained her IP address. Her landlord told me Tufts never asked for it, let alone confirmed it was accurate. Courts have thrown out cases that rely on them as evidence when others share the same network. MAC addresses can identify devices but can be easily spoofed. Filler owns an iPhone 6, not an iPhone 5S, as claimed by Tufts. And her computer name was different to what Tufts said.

And how did she allegedly get access to the “Scott Shaw” password in the first place?

Warner, the committee chair, said in a letter that the school “does not know” how the initial librarian’s account was compromised, and that it was “irrelevant” if Filler even created the “Scott Shaw” account.

Many accounts were breached as part of this apparent elaborate scheme to alter grades, but there is no evidence Tufts hired any forensics experts to investigate. Did the IT department investigate with an inherent confirmation bias to try to find evidence that connected Filler’s account with the suspicious activity, or were the allegations constructed after Filler was identified as a suspect? And why did the university take months from the first alleged hack to move to protect user accounts with two-factor authentication, and not sooner?

“The data they are looking at doesn’t support the conclusions they’ve drawn,” said Williams, following his analysis of the case. “It’s entirely possible that the data they’re relying on — is far from normal or necessary burdens of evidence that you would use for an adverse action like this.

“They did DIY forensics,” he continued. “And they opened themselves up to legal exposure by doing the investigation themselves.”

Not every story has a clear ending. This is one of them. As much as you would want answers reading this far into the story, we do, too.

But we know two things for certain. First, Tufts expelled a student months before she was set to graduate based on a broken system of academic-led, non-technical committees forced to rely on weak evidence from IT technicians who had no discernible qualifications in digital forensics. And second, it doesn’t have to say why.

Or as one student said: “We got her side of the story, and Tufts was not transparent.”

Extra Crunch members — join our conference call on Tuesday, March 12 at 11AM PST / 2PM EST with host Zack Whittaker. He’ll discuss the story’s developments and take your questions. Not a member yet? Learn more about Extra Crunch and try it free.

Read more on TechCrunch: