Update: After posting this, tweeting this story, and getting retweets on it, it appears that as of late yesterday, the bucket was finally secured. Thanks to SafeyDetectives who kept re-checking the bucket and to everyone who tried to call attention to this to get the data locked down. DataBreaches did not get any acknowledgement or response from BreastCancer.org — at least not yet. DataBreaches has not changed its opinion that an investigation is needed to determine for how long these data were exposed, whether they were accessed and downloaded, and why BreastCancer.org failed to respond to multiple notifications over a period of five months.
SafetyDetectives recently reported that Breastcancer.org has been exposing sensitive information in a misconfigured AWS bucket. According to their report, exposed data included more than 50,000 registered user avatars and more than 300,000 post images with EXIF data.
Some post images featured sensitive content that felt as though it was intended for private viewing. For example, there were results from medical tests and images of nudity (most likely taken for medical purposes) included among the files — contents that a user would not typically post publicly.
The data may have been exposed for years.
Read more on SafetyDetectives.
One point that wasn’t clear from SafetyDetectives’ report was whether the bucket had been secured. SafetyDetective started reaching out to BreastCancer.org in November of 2021. They describe their multiple efforts but no outcome was reported. DataBreaches reached out to SafetyDetectives and received the following reply:
… unfortunately the bucket is still unsecured, we tried reaching the organization several times to different email addresses (including their privacy email, CEO, and basically all the people on their about page), we even reached out via social media (we tried reaching them publishing a post, because they don’t accept private messages), but they haven’t reply back. We reached out to the US CERT but they didn’t reply and AWS did reply, but the thing is that they cannot actually secure the bucket, but to tell the owner that they need to secure it.
We published our report hoping that they would reach out to us to secure it but they haven’t gotten back to us yet.
So more than 5 months after responsible disclosure attempts began, the bucket was still unsecured. DataBreaches reached out to BreastCancer.org through their website contact form, and like SafetyDetectives, got no reply.
DataBreaches left them a second message on their site telling them that we would be reporting in 48 hours and to lock down their data. There was no reply and the bucket was not secured.
At 8:00 am this morning, DataBreaches left a voicemail on their office phone. It reiterated that people had been notifying them for months but they had failed to lock down their Amazon storage bucket and that DataBreaches would be reporting on it this afternoon.
Still nothing, it seems.
The organization’s privacy policy page contains this statement:
How We Protect Your Information
We use reasonable and appropriate administrative, technical, and physical safeguards to protect the information that we have about you from loss, theft, and unauthorized use, access, modification, or destruction. We also require third-party service providers acting on our behalf or with whom we share your information to maintain security measures in accordance with industry standards.
Although we have security safeguards in place, we cannot guarantee absolute security in all situations. If you have any questions about our security practices, please contact us as described in the “Contact Us” section. For your own security, please do not send any confidential personal information to us outside of our Services. It is also important that you maintain the security and control of your account credentials, and not share your password with anyone.
Except that they don’t respond to contacts.
Pennsylvania regulators need to look into both the lack of security and BreastCancer.org’s failure to respond to repeated notifications that they were exposing personal and sensitive information.
If you wish to contact the Pennsylvania Attorney General’s Office to file a consumer complaint, you can find information and an online complaint form linked from here.
If anyone has a contact at BreastCancer.org or has influence with them, perhaps you could reach out, contact them, and tell them to lock down all that sensitive information already!
And if you ever used their site and shared personal and/or sensitive data, perhaps you should contact them and demand that they secure your data.