DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Breast Cancer Support Organization Leaks Data Despite Multiple Notifications?

Posted on May 3, 2022 by Dissent

Update: After posting this, tweeting this story, and getting retweets on it, it appears that as of late yesterday, the bucket was finally secured. Thanks to SafeyDetectives who kept re-checking the bucket and to everyone who tried to call attention to this to get the data locked down. DataBreaches did not get any acknowledgement or response from BreastCancer.org  — at least not yet. DataBreaches has not changed its opinion that an investigation is needed to determine for how long these data were exposed, whether they were accessed and downloaded, and why BreastCancer.org failed to respond to multiple notifications over a period of five months. 


SafetyDetectives recently reported that Breastcancer.org has been exposing sensitive information in a misconfigured AWS bucket. According to their report, exposed data included more than 50,000 registered user avatars and more than 300,000 post images with EXIF data.

Some post images featured sensitive content that felt as though it was intended for private viewing. For example, there were results from medical tests and images of nudity (most likely taken for medical purposes) included among the files — contents that a user would not typically post publicly.

The data may have been exposed for years.

Read more on SafetyDetectives.

One point that wasn’t clear from SafetyDetectives’ report was whether the bucket had been secured. SafetyDetective started reaching out to BreastCancer.org in November of 2021. They describe their multiple efforts but no outcome was reported. DataBreaches reached out to SafetyDetectives and received the following reply:

… unfortunately the bucket is still unsecured, we tried reaching the organization several times to different email addresses (including their privacy email, CEO, and basically all the people on their about page), we even reached out via social media (we tried reaching them publishing a post, because they don’t accept private messages), but they haven’t reply back. We reached out to the US CERT but they didn’t reply and AWS did reply, but the thing is that they cannot actually secure the bucket, but to tell the owner that they need to secure it.

We published our report hoping that they would reach out to us to secure it but they haven’t gotten back to us yet.

So more than 5 months after responsible disclosure attempts began, the bucket was still unsecured. DataBreaches reached out to BreastCancer.org through their website contact form, and like SafetyDetectives, got no reply.

DataBreaches left them a second message on their site telling them that we would be reporting in 48 hours and to lock down their data.  There was no reply and the bucket was not secured.

At 8:00 am this morning, DataBreaches left a voicemail on their office phone. It reiterated that people had been notifying them for months but they had failed to lock down their Amazon storage bucket and that DataBreaches would be reporting on it this afternoon.

Still nothing, it seems.

The organization’s privacy policy page contains this statement:

How We Protect Your Information

We use reasonable and appropriate administrative, technical, and physical safeguards to protect the information that we have about you from loss, theft, and unauthorized use, access, modification, or destruction. We also require third-party service providers acting on our behalf or with whom we share your information to maintain security measures in accordance with industry standards.

Although we have security safeguards in place, we cannot guarantee absolute security in all situations. If you have any questions about our security practices, please contact us as described in the “Contact Us” section. For your own security, please do not send any confidential personal information to us outside of our Services. It is also important that you maintain the security and control of your account credentials, and not share your password with anyone.

Except that they don’t respond to contacts.

Pennsylvania regulators need to look into both the lack of security and BreastCancer.org’s failure to respond to repeated notifications that they were exposing personal and sensitive information.

If you wish to contact the Pennsylvania Attorney General’s Office to file a consumer complaint, you can find information and an online complaint form linked from here.

If anyone has a contact at BreastCancer.org or has influence with them, perhaps you could reach out, contact them, and tell them to lock down all that sensitive information already!

And if you ever used their site and shared personal and/or sensitive data, perhaps you should contact them and demand that they secure your data.

Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataMiscellaneousU.S.

Post navigation

← A Romanian, involved in the Russian cyber attacks of the last days on some Romanian sites has been arrested by UK police
University of Essex data breach being taken ‘very seriously’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.