DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

On the notification warpath, Friday edition

Posted on December 13, 2019 by Dissent

In 2006, I started advocating that there needs to be a law or regulation that requires businesses to have a method to receive notifications of security alerts. A number of people I respect offered explanations as to why that wasn’t a great idea. But 13 years later, I’m more convinced than ever that we need regulation or law requiring it. Of course, just getting a notification delivered doesn’t mean that the entity will read it or respond appropriately to it.  And when I rule the world, there will also be more consequences for entities who do not respond to notifications at all.

I can now reveal how I and others spent a few frustrating months trying to get a plastic surgeon in Colombia to lock down his Amazon s3 bucket. It was exposing more than 3,000 patient files, many of which were full frontal and rear nude photos of identifiable people.  Most of these were pre-surgical images, but there were also numerous pdf files with detailed patient histories.  To be clear:  I do not know if he owned and managed the bucket or if he had some third-party vendor doing that, but it was his patients’ data and so we reached out to him. Repeatedly. To no avail.

Despite repeated notifications, the storage bucket with nude patient photos and files with records remained exposed to the world. Redacted by DataBreaches.net

I generally desperately avoid posting any PHI on this site, but I want you all to see how very concerning this leak was, so I am redacting just one of the images in the file. Keep in mind that it wasn’t redacted at all in the bucket that anyone could access and download. How do you think Dr. Felipe Amaya’s patients would feel if they knew their nude pictures like this were available online for anyone and everyone to download without any login required? And that he had been notified numerous times but still did not get the bucket secured?

DataBreaches.net was originally alerted to this leak over the summer by a researcher. This site then called Dr. Felipe Amaya’s Florida phone number and left a voicemail with my U.S. callback number and information.

This site also contacted them numerous times in writing via their onsite contact and chat form at FelipeAmaya.com.  We also tried email to their info@ email address on numerous occasions. I even tried Telegram. My messages were sent in both English and Spanish. And someone in the area of their Colombia center actually got through to them on the phone one day, only to be told by a secretary that they don’t use Amazon.

With repeated and various methods failing, Amazon was contacted, and as we understand it, they did contact their user. But nothing happened. The bucket remained exposed.

Enter GDI Foundation, stage left. GDI Foundation is focused on responsible disclosure, and they reached out to Amazon, CERT, and of course, Dr. Felipe Amaya’s site.

This time, it worked. The bucket is now locked down. Great thanks to @MasterHawkx1 of GDI Foundation for his help on this.  And if you would like to be part of their responsible disclosure project, contact him or @0xDUDE via Twitter.

But this leak also made me think about that Florida phone number on their site. Is that surgeon’s business therefore accountable under Florida breach notification law?  And even if they are not, if you are an American thinking about medical tourism, you may also want to think about what happens in the event of a privacy or data security breach? Do you know if there will be any accountability?

In any event, you might think that with the felipeamaya.com bucket locked down,  we could breathe a sigh of relief and rest a bit on our laurels? Heck no, because this morning I started seriously going after the business that leaked the 750,000 birth certificate applications that Zack Whittaker reported on this week (well, I think it’s the same one that I had been aware of since June of this year). Zack’s report of their failure to be able to reach anyone reminded me that that firm had been on an ever-growing list of entities to notify. But when the firm didn’t respond to a site contact message I left yesterday, and my attempt via LinkedIn to reach a founder of the company named in their copyright notice did not produce a response from that individual, I reached out to Amazon, CERT, and the Federal Trade Commission.

I won’t go into details about this one because I don’t want to point to the exposed database, but hopefully, someone will get that company off the dime and I’ll be able to post an update at some point. Amazon did send me two prompt updates to my emails to ask them alerting them to the situation.

While Amazon and law enforcement seem logical approaches for these types of situations, it would be great if  the FTC came down hard on those who not only have inadequate data security but do not respond to notifications.  The FTC took action like that once in the past, but they need to it more frequently and with more serious consequences until entities get the message that they need to have a way to receive alerts and they need to respond to them.

Update: Within hours of contacting Amazon and CERT, the bucket for onlinevitalus.com  was locked down. Zack informs this site that it had been going up and down for a few days at that point, so I waited to reveal their identity, but it seems to be staying offline now. Was it Amazon’s intervention that did the trick?  Or was it my email to them the day before through their site contact form asking them if they have been sued yet? Or was it Zack’s previous efforts now bearing fruit? It’s impossible for me to know, but I’m glad it’s locked down now.

Category: Breach IncidentsBusiness SectorExposureHealth DataNon-U.S.U.S.

Post navigation

← Louisiana Community College System Hit with Ransomware
Thief Stole Payroll Data for Thousands of Facebook Employees →

2 thoughts on “On the notification warpath, Friday edition”

  1. Mike Oliver says:
    December 13, 2019 at 12:26 pm

    Could you expound on what the arguments were that “… offered explanations as to why that wasn’t a great idea.”? I only come up with 2, and they are very weak: (a) that the penalty for the breach itself would induce self-action to establish such a notice system; and (b) the old tried and true “we do not need more regulations” because it will just benefit the lawyers and lead to higher costs.

    I kinda get it if all you have is email addresses that are exposed, but at an absolute minimum, any entity that has sensitive information should be legally required to establish, maintain and monitor a security disclosure notice system, and suffer fines and penalties for not doing so (in my view).

    1. Dissent says:
      December 17, 2019 at 4:13 pm

      Sorry for the very delayed response. I don’t remember all the arguments by now, but one was a very realistic one — how many small or medium companies would even have someone working to check emails every day or phone messages? I had been arguing that if a company had a web site, that site should have a dedicated email address on it that would be monitored for people attempting to notify the company of a problem. Now, years later, I can see another problem…. people could use any such email address as a way to inject malware into the system by sending an urgent alert or notice with a link to the supposed problem, etc.

      I’m not sure what the solution is, but 13 years later, I am still convinced that entities that collect and store PII or PHI should be required to have a mechanism to reach them in the event of a data security incident.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware
  • Developments surrounding data breach at Dutch police
  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.