GitHub Leaks: Lessons Learned
Marianne Kolbasuk McGee reports:
Recent incidents involving inadvertent exposure of patient data on GitHub, a software development and version control platform designed for collaboration, point to the need to ensure that data loss prevention tools are implemented, available security controls are leveraged and employees are made aware of the risks involved in using internet-facing platforms.
In the most recent incident, COVID-19 test results and other sensitive data of 164,000 individuals collected by the Wyoming Department of Health were exposed on GitHub.
In another incident [disclosed] earlier this month, the PHI of 136,000 individuals was accidentally exposed on GitHub by an employee of revenue cycle management vendor Med-Data Inc.
Those incidents follow the discovery last year by Dutch independent security researcher Jelle Ursem of several other health data exposures on GitHub.
Read more on GovInfoSecurity.
I fervently wish lessons had been learned already, but I fear they still haven’t. The Med-Data incident was another incident discovered by Jelle Ursem and first reported by DataBreaches.net after Ursem and the blog had alerted Med-Data to the leak.
DataBreaches.net asked Ursem if he thinks lessons have been learned. He says that a few have —
at least for the organisations that we discovered leaks for, I can confirm that they have learned lessons and (most of them) vowed to improve their ways in educating developers.
I cannot say that this is the case for the rest of the IT industry at large. New credentials and secrets are being uploaded to Github daily.