Originally published at: https://boingboing.net/2020/02/14/databases-leak-exposed-900k-pl.html
Leaked images, many of them graphic nude photos, were from imaging firm NextMotion in France
Editors, please. Everyone knows that hackers wear hoodies and dark glasses while doxing.
We reserve our formalwear black balaclavas strictly for when weâre stealing credit cards.
Looking at this further, I was completely unsurprised to confirm to myself that:
NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured.
This recurring idiocy has me suspecting that every AWS training course erroneously specifies that admins have to go to the extra trouble of turning off and then leaving off the default security on their buckets.
Until I saw it was a French doc, I was picturing HIPPA violations galore. No clue what the regs in France are, but I have to think this will not end will for the practice.
I clicked through to this article thinking âHow odd that a plastic surgery firm would name itself after a weirdly capitalized racial slur.â
Elard apologized for the âfortunately minor incident.â
Yeah⌠in the US, this âminorâ incident would be not-so-minor, with a exceptionally mahoosive fine attached to it. (Still might be, if any of the patients whose data was, uh, exposed are from the US.
For future reference: HIPAA (Health Insurance Portability and Accountability Act)
I donât think it is any different in the EU. It is a minor incident in the âif we minimise this incident then maybe we will get fewer people take us to court over itâ sense.
As a security engineer who specializes in locking down AWS infrastructure, the problem is IAM (AWSâ permission system) is complicated, awkward and was bolted onto S3 after the fact so it has extra opportunities for for getting it wrong. S3 definitely fails secure, but this usually means it blocks access you are trying to authorize. When a junior IT technician is told to just make it work, itâs easier to figure out the âopen access globallyâ solution than the correct âopen access minimallyâ solution. Thatâs why this keeps happening.
Thanks. I truly couldnât figure out why these AWS breach disasters keep happening despite the defaults and despite the major news stories.
The times Iâve set up an instance (not my main job, but I do it now and then), the permissions seemed straightforward to me. But Iâve been in tech for decades and these days Iâm the one setting the timetables for roll-outs so I can take my time being diligent.
TFA says that patient data from âclinics around the worldâ were leaked. So not only do they have GDPR violations to answer for, but a heap of HIPPA violations to go with them.
The out of luck patients who live outside of the USA or EU have little recourse. The category of unprotected schmucks now includes the citizens of Great Adequate Britain.
This topic was automatically closed after 5 days. New replies are no longer allowed.