Cyber Incident Victim: United Valor Solutions
Date:
Apr 2021
Location:
United States of America
Summary
A security researcher discovered an unprotected database containing sensitive personal and financial information of approximately 189,460 U.S. veterans, linked to United Valor Solutions, a provider of disability evaluation services for government agencies. The exposed data included unencrypted internal account credentials and was configured to allow unauthorized alteration or deletion of records. Evidence indicated prior unauthorized access, including a ransom note demanding cryptocurrency in exchange for withholding the data, though the company asserted only internal and researcher IP addresses had accessed the system. The database was secured following notification, but inconsistent logging practices complicated verification of access history. The incident exposed veterans to potential identity theft and account takeover risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 18, 2021, security researcher Jeremiah Fowler discovered an unprotected database containing sensitive information on 189,460 U.S. veterans seeking disability benefits through United Valor Solutions, a North Carolina-based contractor providing evaluation services for the Veterans Administration and other government agencies. The exposed records included veterans' private information, financial data, and internal United Valor account credentials stored in plain text, creating risks of identity theft and account takeover. Fowler also observed that the database permitted unauthorized users to modify or delete records, amplifying the exposure of medical and financial data. Within the database, Fowler identified a ransom note demanding payment of 0.15 Bitcoin (approximately $8,400) within 48 hours to prevent public release of the data, indicating prior unauthorized access by malicious actors. Fowler immediately notified United Valor of the breach, and the company confirmed the next day that its contractors had secured the database.
United Valor’s contractors asserted that only internal IP addresses and Fowler’s access point had interacted with the database, a claim seemingly contradicted by the presence of the ransom note. The plaintext storage of passwords increased risks of credential misuse against veterans and United Valor systems, while the absence of access controls allowed potential manipulation or destruction of records. The incident’s discovery highlighted configuration errors, including inadequate encryption, excessive permissions, and potential gaps in logging that complicated verification of access history. No evidence suggested United Valor or its affiliates acted maliciously, but the exposure left veterans vulnerable to financial fraud and targeted scams. The company’s prompt containment response secured the database within one day of notification, though the scope of prior unauthorized access remained unclear due to potential logging limitations.