Breaches of servers in medical offices can yield personal and medical records for criminal use Credit: Thinkstock The FBI warns that attackers are targeting vulnerable FTP servers used by small medical and dental offices as a way to obtain medical records and other sensitive personal information.While the dangers of placing sensitive data on these servers is well known, smaller businesses may not have the expertise or motivation to upgrade.The attackers can use the stolen data to harass, intimidate and blackmail these businesses, the FBI says, and may also include using the stolen information to commit fraud.The attackers could also write to the servers in order to store malware and launch attacks, the FBI says. The remedy is to remove any personally identifiable information or protected health information from these servers and replace FTP with something more secure.Anonymous FTP is called that because it requires no authentication in order to access files on the server. It’s recommended that these servers host only public files. “The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address,” the FBI says. HIPAA protects PHI and subjects violators to fines. PII is also protected under privacy laws and regulations, and violations can result in fines as well.The cost of a data breach that compromises PII and PHI would likely be much more than the cost of replacing it with something more secure, such as SFTP or FTPS, says Peter Merkulov, vice president of product strategy and technology alliances for Globalscape, which offers file transfer services and support.“It’s a really old protocol,” he says. “Even using it in not-anonymous mode is dangerous.” He says it’s not seen that much anymore, but when he runs across it it is usually an implementation deployed years ago and has never been upgraded. In larger organizations old deployments may still be in place but forgotten and never taken down.Despite this, the FBI cites 2015 research that says 1 million FTP servers were configured to allow anonymous access. Merkulov speculates the FBI warning stems from discovery of FTP exploitation in a case it is working on.Getting rid of anonymous FTP is pretty straightforward, he says, requiring just minutes of setting changes on the server. Depending on the types of client software used to access the servers, the process could be more complicated, requiring set-up of credentials and accounts. Related content news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Encryption Encryption news CISOs are struggling to get cybersecurity budgets: Report In the latter part of Q4 2022, many CISOs reported that their approved 2023 budgets were being slashed as part of an overall budget tightening. By Shweta Sharma Sep 26, 2023 4 mins Budget Technology Industry opinion Preparing for the post-quantum cryptography environment today It’s a mistake to put off the creation of precautions against quantum threats, no matter how far in the future you might think quantum computing will become a reality. By Christopher Burgess Sep 26, 2023 5 mins CSO and CISO Encryption Threat and Vulnerability Management feature What is WorldCoin's proof-of-personhood system? What does the blockchain, AI, and custom hardware system featuring a shiny, eye-scanning orb mean for the future of identity access management? By Matthew Tyson Sep 26, 2023 12 mins Cryptocurrency Authentication Identity Management Solutions Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe