Another day, another leak, another inaccurate claim by an entity, and another inappropriate attack on a researcher. Buckle up.
TeammateApp is not the sort of entity that DataBreaches usually reports on. DataBreaches decided to report on a data leak they reportedly experienced because once again, a well-intended researcher appears to have been falsely accused of trying to sell services he wasn’t selling and of harassing them simply because he sent a responsible disclosure notice and then a follow-up email.
But let’s start at the beginning.
On February 15, the researcher known as @JayeLTee reached out to TeammateApp via email to alert them to a leak he had discovered. His email resulted in the leak being secured within an hour, but TeammateApp never acknowledged receipt of his notification or responded at all.
Several days later, JayeLTee emailed them again to ask if they would be notifying any regulator or clients, because if they were and if they needed him to delay publication of his report, he would delay publication to give them time to make notifications. JayeLTee explained that he routinely reports on leaks he discovers and tries to get secured.
TeammateApp’s response was ….. inappropriate, at best. As JayeLTee reports, the firm’s CEO, Sean Banayan, replied:
This had no impact on anything or anyone and all anyone could see was basic information of [type of databased redacted by JayeLTee] database size etc.
There were few more security layers which would have made any data breach impossible anyway.
Not sure what’s your business and what the heck this Proton actually does, but if you don’t stop harassing us, I’ll get in touch with them to stop you.
Whatever you’re selling, we’re not interested in purchasing it.
Get it??
The reference to “Proton” was presumably because JayeLTee uses protonmail to send notifications. The firm’s CEO didn’t seem to know what “Proton” is and likely assumed it was JayeLTee’s employer or business. The CEO also accused JayeLTee of trying to sell…. something… even though JayeLTee had told them at the outset he is an independent researcher who volunteers his time and doesn’t sell anything.
The remainder of JayeLTee’s post provides evidence that refutes the CEO’s claim about what could be seen and what kind of information was involved. As JayeLTee notes, the “few more security layers” the CEO referenced failed to function properly or, more likely, were nonexistent, because he was able to access employee data and user data with personal information without ever being asked to login or provide any password.
TeammateApp Contacted
Having been shown a preview of JayeLTee’s post, DataBreaches emailed TeammateApp about the researcher’s findings. The email included snippets or descriptions of the data that JayeLTee had found exposed. As one example, DataBreaches quoted a subsection of the report:
employees – 23,279
This contained fields such as first and last name, company and workplace foreign keys, email, phone and mobile, date of birth and a field with additional information such as medical recommendations. There were multiple other tables related to employee data such as “employeesppes” which contained PPE (Personal protective equipment) information, mostly uniform sizes.”
DataBreaches noted that a redacted screenshot from the employees table was included in the report. DataBreaches requested an unredacted version to try to verify the personal information. JayeLTee provided the unredacted version, and DataBreaches was able to quickly confirm that there was an employee at Kaweka Health with the same name as the person in the redacted screenshot.
This site’s email to the CEO also included mention of other examples of exposed files from Kaweka Hospital and G&H Cardiovascular, and a screenshot of a redacted user entry for an “employee of a cybersecurity company https://defend.co.nz” (the latter was from the “Users” table).
Finally, DataBreaches informed the CEO that JayeLTee claimed he can still access files even after the firm locked them down. “He doesn’t explain how in his report, but it sounds like anyone who acquired certain info before you locked things down can bypass login authentication and still access certain files,” DataBreaches wrote to the CEO.
DataBreaches asked the CEO three questions:
1. Do you still maintain there was no leak or breach?
2. Do you have access logs to show what IP addresses may have accessed or acquired files without authorization?
3. Will you be notifying any regulator or people who had their personal information exposed?
DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email:
We will further investigate this matter internally and do not wish to entertain this matter with your website.
At this point, then, TeammateApp has not confirmed the data leak that seems pretty evident.
Once again, an entity shot the messenger who was trying to alert them to their security incident. This time, an obviously angry messenger shot back, as JayeLTee’s concluding remarks demonstrate.
You can read JayeLTee’s entire post on his substack. He has also posted about it on infosec.exchange.