Two more leaks expose Indian citizens’ personal and medical information
This week, DataBreaches.net learned that a civil court in Bengaluru had issued a preliminary junction prohibiting this site from publishing anything about a data security incident involving 1to1Help.net. This site received notice of the injunction five days after the article appeared. At the same time, I learned that 1to1Help.net had filed a criminal complaint against me.
As I’ve previously noted, 1to1Help.net’s supporting documents for the injunction and criminal complaint are replete with downright false and/or inaccurate claims and descriptions. Thankfully, most people seem to realize that their bad faith behavior is a desperate attempt on their part to deflect from the fact that they had a serious data security leak that exposed very sensitive information on many people. And in trying to get my work censored, they are starting to learn about the Streisand Effect, it seems.
At another time, I may respond in detail — point by point — to all of 1to1Help.net’s false claims, distortions, and misunderstandings. For now, however, I want to report on two other leaks by Indian entities. In these two other cases, despite my best efforts, and despite the efforts of equally concerned others, the data are still not secured. The data are not secured despite the fact that the entities did receive the notifications. They just didn’t follow up with appropriate steps to secure the leaking data.
In the reports that follow, I will not name the entities because their data are still unsecured. But I will describe the situations, and if anyone figures out who they are, well, at this point, I won’t feel guilty about the disclosure. This is on the entities for not having responded appropriately.
Case 1: Bloodbank
On May 29, a researcher (who has asked me not to name him) found that a bloodbank in India was leaking more than 1,100,000 blood donors’ personal information. The exposed data, all in plain text, included donors’ first name, last name, date of birth, postal address, email address, home phone number, mobile phone number, gender, and bloodgroup type. The open directory also revealed that there were other files with information on hospitals and physicians.
DataBreaches.net attempted to notify the bloodbank through its on-site contact form, but got no response to multiple contacts through the site and via email. Nor was there any response to an email sent to the company listed on the web site as being responsible for the design and technology of the site.
Sadly, it wasn’t just me who got failed to get the data locked down properly. Despite efforts by Banbreach to reach them by phone, and despite CERT-IN being contacted by PhoenixMaster (another person who engages in responsible disclosure as part of the GDI Foundation), the data remain publicly available if you know where to look.
Perhaps the bloodbank will claim that they did do something after repeated attempts on at least four parties’ part to get them to secure their data. And they’d be partly right. When we checked the link one day after CERT-IN was contacted, the file was not accessible. We hoped that meant they had secured it properly or removed it. But no, our hopes were dashed when we checked further and discovered that they had only changed the filename to add digits to the end of the previous filename. I’m not sure how they thought obfuscation might help when they still have an open directory. And why didn’t their tech company help them when we reached out to the tech company?
Case 2: Multi-Discipline Clinic
In mid-June, this site was also made aware of a clinic in India that had uploaded thousands of images of patient prescriptions and notes. The name of the unsecured Amazon s3 bucket did not provide any clue as to ownership or who to notify, and so I began going through the image files to see if I could find any information to help me determine ownership. What I found was a number of doctors and clinics whose patient notes were uploaded.
This was not good, to put it mildly.
Eventually, I came to a tentative conclusion as to ownership of the bucket and started emailing the doctor through the gmail address on their stationery in the images. I got no answer until on my third attempt, I also started cc:ing other doctors whose files were also in the exposed bucket. At that point, the first doctor responded to my email.
And what happened next was somewhat mind-boggling. I will not reproduce the entire email exchanges, but the doctor started out by telling me that his patients had not resisted him uploading files so they could review them. I was skeptical that his patients would actually consent to their files being viewable by the entire world with no login required, but at least it sounded like he had tried to obtain consent for something. But it’s what happened next that is so disturbing:
He left it that way.
At first, I thought we were having a communication problem, so I kept emailing him to make sure he understood that it was not enough that he had agreed he would stop uploading scans. I urged him to contact an IT person to get help securing the bucket or just deleting it if he wasn’t going to use it anymore. He did neither. Even after he assured me he understood what I was telling him, he said he had stopped uploading. On August 4, in response to my email telling him I would be reporting on the leak and asking him again if he was planning to secure it, he replied:
Sir plz do not report. This has happened unknowingly. I will do whatever that is needful. Thx.sir
Concerned that he misunderstood my email about reporting and that he thought that if he did something I wouldn’t report, I wrote to him again to make sure that he understood that I would be reporting it as an accidental disclosure but that he needed to secure the bucket. I repeated the url for him that he should point an IT consultant to. I had previously given him a url to a help file on Amazon about how to secure s3 buckets.
I had run out of ideas and yet the data were still not secured.
On August 8, I received this email from the doctor:
Sir sincere thanks for your concern. From day one of your email i have stopped it. Now i do not have the expertice to tackle the problem and am not tech savy. Have a good day.
So that’s it. He can just walk away from responsibility for exposing more than 10,000 patient files and no one tells him that he has an obligation to secure them? Or to notify patients whose information was exposed?
Indian data protection is not mature. I understand that. And I understand that they may not understand our approach to responsible disclosure or our concept of press freedom.
Trying to censor reporting of security failures and trying to criminalize the behavior of those who went above and beyond to help you meet your obligations to secure data is not in India’s best interests. 1to1Help.net’s self-serving behavior is short-sighted. Indian infosecurity for all citizens will suffer if researchers become afraid to notify entities for fear of prosecution.
But as for me, well, I intend to continue reporting on leaks and breaches in India. Because sometimes when you try to shoot the messenger, the messenger shoots back.