A misconfigured AWS bucket exposed personal and counseling logs of almost 300,000 Indian employees
On July 17, this site reported on a leak by a vendor, Medico, Inc., that exposed 300,000 patients’ insurance billing-related records. Today, we report on another leak – this one by another vendor – that also exposed about 300,000 records.
As part of their benefits offerings, companies often offer services to their employees to help them maintain and improve their physical and mental health. I give credit to those firms for trying to provide benefits to employees — as long as they don’t actually require employees to participate in such programs or to share their data with the employer.
But most firms — even large ones — often decide not to offer such services directly to employees, in part because employees may fear that their employer will find out too much about them or that a nosy employee may access their information and share it as gossip. As one result, firms often decide to outsource to third parties or vendors. Which brings us to today’s leak report.
A number of multinational corporations contracted with a firm in India called 1to1Help to provide employee assistance services to employees. 1to1Help.net describes itself:
Founded in 2001, 1to1help.net is India’s leading Employee Assistance Program (EAP) provider. We offer Psychological Counselling and comprehensive Wellness solutions that help employees deal with various work-life challenges like stress, anxiety, parenting, relationship issues both pre & post marital, work-life balance, etc. We currently support 300+ clients and cover 1.7 million lives through our team of 250+ counsellors across 55+ locations in India. We also provide services in the areas of Prevention of Sexual Harassment (POSH), Shiftwork Lifestyle Management, Healthy Maternity, Diversity & Inclusion, Diet and Nutrition and other wellness services.
You can probably guess where this is going, right?
On May 16, a researcher discovered that 1to1Help was exposing data in a misconfigured Amazon s3 bucket. When they eventually had time to look at the data, they found that were were more than 300,000 records with personal and sensitive information in the exposed bucket. The researcher then contacted this site to share their findings.
Beginning on June 10, DataBreaches.net attempted to notify 1to1Help.net of the exposure so that they could secure their database. Emails sent to the site on June 10 and June 11 received no reply and by June 18, the bucket was still unsecured. An India-based cybersecurity firm that has assisted this site in the past in making notifications in India, BanBreach, also attempted to reach out to the firm, but did not reach anyone.
After yet another week went by with no response from 1to1Help.net and finding that the bucket was still not secured, DataBreaches.net decided to start contacting some of 1to1Help’s larger corporate clients, hoping that if their clients called them to say, “Hey, our data is exposed,” they’d get action.
On June 26, I spoke with a top privacy official for the U.S. headquarters of one of the multinational firms affected by the 1to1Help leak and explained the situation to her. I also started reaching out via email to other large corporate clients of 1to1Help.net. Two of the firms were immediately responsive and indicated that they were reaching out to 1to1Help.net
On July 14, I finally got a response from Anil Bisht, the Director of 1to1Help.net. His email read, in part:
This is the first time I am seeing this kind of mail. We will need to correct our internal escalation processes to ensure that such mails receive the due importance & action. As an organisation, we take data security very seriously. We have been ISO & ISMS certified for many years & have also been tested for VAPT past many years.
Bisht has emailed this site several times since then, and their most recent response appears later in this article.
The Client Companies
In the U.S., law enforcement would generally consider the corporate clients to be “victims” of a breach or leak. As such, the DOJ often does not name the corporate entities. But that does nothing to help the firms’ employees who may not have been notified about the leak.
A number of multinational companies had employees in India who availed themselves of 1to1Help.net’s services. In terms of number of employees’ unique email addresses, the largest corporate clients were
- HP; and
All other corporate clients each had less than10,000 employees’ email addresses in the exposed bucket.
Keep in mind that in many cases, this is not the U.S. corporate headquarters that would be responsible but a division in India. Furthermore, the number of employees’ emails did not correlate directly with the number of employees using the counseling services.
In looking at the plaintext counseling logs, I saw counseling logs for employees of Cognizant, IBM, HP, Capgemini, Dell, Oracle, and Microsoft.
In contacting the firms named above, DataBreaches.net included information on how many email addresses there were from their firm and how many counseling logs with email addresses from their firm. No firm was provided with any personally identifiable information on their employees or any counseling logs from their employees.
Of note, some firms responded to DataBreaches.net’s notification and noted that they had not been clients of 1to1Help.net for many years, which raises other questions as to why these data were stored online instead of securely offsite somewhere. Or why they were still stored at all instead of securely deleted.
There was more than 280,000 records in the users’ table, and more than 300,000 records, total, in the exposed bucket. As of the time of this posting, we have not been told for how long the bucket was exposed. Nor do we yet know how many unique IP addresses may have accessed and/or downloaded the data. What we do know is that contact information for employees of business and financial sector firms was freely available — as was sensitive information for some of them that might be used by miscreants for spearphishing or even extortion.
Data on employees included their first and last names, their username, their email address, their password (in plaintext in some tables), their telephone number, IP address, gender, and their relationship status.
Normally, at this point, I might include some redacted screencaps showing sensitive data, but frankly, these data are so sensitive and so specific that I fear people could recognize themselves or others, so I’m just going to forego posting any specific samples at all, other than to mention that there were more than 6,000 counseling logs in plain text and that one log showed the employee begging the counselor to keep their conversation about his sexuality-related concerns tendencies: “Plzzzzzzzz keep confidential….Plz i beg 4 that…”
Sadly, his identity and his concerns, logged in 2011, were freely available to the world years later in an unsecured bucket.
DataBreaches.net received a statement from Anil Bisht today. It reads, in large part:
As informed by my IT department – this is one of our old partially archived data (older than 5 years) which was in a S3 bucket, without due authorization & which we are investigating. This has data which is gathered from our website usage such as articles read, quizzes taken, various self-help resources used and only includes a small percentage of counselling information from the partial data.
As an organization we are committed towards security and have already taken the following measures:-
1. We have enabled AES 256 bit encryption since 2016, so even our DB admins have no access to data.
2. We have informed the concerned potentially impacted parties. However since the data is very old, we have faced some challenges in reaching out to all of them at once.
3. We have used better password management through iterative hashing.
4. We continue to perform a VA/PT exercise once every year since 2016.
5. We are audited and certified for ISMS 27001:2013 for last 3 years and will continue this practice.
We are further strengthening the security of our IT platform through the following means:-
1. We are in the process of looking at our security from a data-centric perspective to ensure the data and data flow is entirely secure.
2. We will regularly use AWS Macie.
3. We have now added S3 bucket scanning as an activity so we can check for exposure of any sensitive information action.
We are very committed to the cause of counselling and we have saved over 4000 lives which were at suicidal risk, only because the employees have felt that it is safe enough to reach out to us. As a small India based business (where there is no 911 support for threats and suicides, and where until recently suicide was criminalized) it has been an uphill battle to popularize and gain acceptance for counselling. By publishing specifics, this would bring about a general mistrust and discourage employees from reaching out to counselling firms such as ourselves. This in turn would be detrimental to the users and may even lead to loss of life. We cannot emphasize the impact of this enough.
DataBreaches.net has not divulged sensitive data in this publication, but by the same token, this site will not be part of any coverup of this leak because of concerns that publicizing this incident will dissuade people from seeking counseling.
Bisht’s email continued:
Unfortunately, we are unable to divulge any further specific information due to our strict contractual obligations with our customers. Our objective is to arrive at a solution which secures both the interests of our clients and end users.
We once again thank you for your time in interacting with us and respect that your interest is in safeguarding the users. May we once again request you to desist from publishing & securely delete any user data that you may have.
As a matter of policy, DataBreaches.net retains data until entities have made full enough disclosure that I can be confident that not only have I reported accurately, but that they would have no grounds to claim otherwise.
Update of August 7: While thanking me in email, Bisht was apparently seeking an injunction to prevent publication about the leak. On August 7, I received notification of an injunction and their attempt to file criminal charges against me. Read more here.