In 2006, I started advocating that there needs to be a law or regulation that requires businesses to have a method to receive notifications of security alerts. A number of people I respect offered explanations as to why that wasn’t a great idea. But 13 years later, I’m more convinced than ever that we need regulation or law requiring it. Of course, just getting a notification delivered doesn’t mean that the entity will read it or respond appropriately to it. And when I rule the world, there will also be more consequences for entities who do not respond to notifications at all.
I can now reveal how I and others spent a few frustrating months trying to get a plastic surgeon in Colombia to lock down his Amazon s3 bucket. It was exposing more than 3,000 patient files, many of which were full frontal and rear nude photos of identifiable people. Most of these were pre-surgical images, but there were also numerous pdf files with detailed patient histories. To be clear: I do not know if he owned and managed the bucket or if he had some third-party vendor doing that, but it was his patients’ data and so we reached out to him. Repeatedly. To no avail.
I generally desperately avoid posting any PHI on this site, but I want you all to see how very concerning this leak was, so I am redacting just one of the images in the file. Keep in mind that it wasn’t redacted at all in the bucket that anyone could access and download. How do you think Dr. Felipe Amaya’s patients would feel if they knew their nude pictures like this were available online for anyone and everyone to download without any login required? And that he had been notified numerous times but still did not get the bucket secured?
DataBreaches.net was originally alerted to this leak over the summer by a researcher. This site then called Dr. Felipe Amaya’s Florida phone number and left a voicemail with my U.S. callback number and information.
This site also contacted them numerous times in writing via their onsite contact and chat form at FelipeAmaya.com. We also tried email to their info@ email address on numerous occasions. I even tried Telegram. My messages were sent in both English and Spanish. And someone in the area of their Colombia center actually got through to them on the phone one day, only to be told by a secretary that they don’t use Amazon.
With repeated and various methods failing, Amazon was contacted, and as we understand it, they did contact their user. But nothing happened. The bucket remained exposed.
Enter GDI Foundation, stage left. GDI Foundation is focused on responsible disclosure, and they reached out to Amazon, CERT, and of course, Dr. Felipe Amaya’s site.
This time, it worked. The bucket is now locked down. Great thanks to @MasterHawkx1 of GDI Foundation for his help on this. And if you would like to be part of their responsible disclosure project, contact him or @0xDUDE via Twitter.
But this leak also made me think about that Florida phone number on their site. Is that surgeon’s business therefore accountable under Florida breach notification law? And even if they are not, if you are an American thinking about medical tourism, you may also want to think about what happens in the event of a privacy or data security breach? Do you know if there will be any accountability?
In any event, you might think that with the felipeamaya.com bucket locked down, we could breathe a sigh of relief and rest a bit on our laurels? Heck no, because this morning I started seriously going after the business that leaked the 750,000 birth certificate applications that Zack Whittaker reported on this week (well, I think it’s the same one that I had been aware of since June of this year). Zack’s report of their failure to be able to reach anyone reminded me that that firm had been on an ever-growing list of entities to notify. But when the firm didn’t respond to a site contact message I left yesterday, and my attempt via LinkedIn to reach a founder of the company named in their copyright notice did not produce a response from that individual, I reached out to Amazon, CERT, and the Federal Trade Commission.
I won’t go into details about this one because I don’t want to point to the exposed database, but hopefully, someone will get that company off the dime and I’ll be able to post an update at some point. Amazon did send me two prompt updates to my emails to ask them alerting them to the situation.
While Amazon and law enforcement seem logical approaches for these types of situations, it would be great if the FTC came down hard on those who not only have inadequate data security but do not respond to notifications. The FTC took action like that once in the past, but they need to it more frequently and with more serious consequences until entities get the message that they need to have a way to receive alerts and they need to respond to them.
Update: Within hours of contacting Amazon and CERT, the bucket for onlinevitalus.com was locked down. Zack informs this site that it had been going up and down for a few days at that point, so I waited to reveal their identity, but it seems to be staying offline now. Was it Amazon’s intervention that did the trick? Or was it my email to them the day before through their site contact form asking them if they have been sued yet? Or was it Zack’s previous efforts now bearing fruit? It’s impossible for me to know, but I’m glad it’s locked down now.
Could you expound on what the arguments were that “… offered explanations as to why that wasn’t a great idea.”? I only come up with 2, and they are very weak: (a) that the penalty for the breach itself would induce self-action to establish such a notice system; and (b) the old tried and true “we do not need more regulations” because it will just benefit the lawyers and lead to higher costs.
I kinda get it if all you have is email addresses that are exposed, but at an absolute minimum, any entity that has sensitive information should be legally required to establish, maintain and monitor a security disclosure notice system, and suffer fines and penalties for not doing so (in my view).
Sorry for the very delayed response. I don’t remember all the arguments by now, but one was a very realistic one — how many small or medium companies would even have someone working to check emails every day or phone messages? I had been arguing that if a company had a web site, that site should have a dedicated email address on it that would be monitored for people attempting to notify the company of a problem. Now, years later, I can see another problem…. people could use any such email address as a way to inject malware into the system by sending an urgent alert or notice with a link to the supposed problem, etc.
I’m not sure what the solution is, but 13 years later, I am still convinced that entities that collect and store PII or PHI should be required to have a mechanism to reach them in the event of a data security incident.