Dr Lal PathLabs, one of the largest lab testing companies in India, left a huge cache of patient data on a public server for months, TechCrunch has learned. The lab testing giant, headquartered in New Delhi, serves some 70,000 patients a day, and quickly became a major player in testing patients for COVID-19 after winning approval from the Indian government. But the company was storing hundreds of large spreadsheets packed with sensitive patient data in a storage bucket, hosted on Amazon Web Services (AWS), without a password, allowing anyone to access the data inside.
This is another case of sensitive data on AWS buckets being left wide open on the internet, with little to no security. We’ve seen this time and time again – companies using AWS for analytics or big data projects and making careless mistakes in the misconfiguration. To prevent this scenario companies must ensure they have the security process and controls in place to assess and be alerted of potential misconfigurations on a continuous basis.
Another week, another AWS misconfigured server. It is clear that those that choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of AWS, ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look like security is not being taken seriously enough.
Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT. Clearly, Dr. Lal PathLabs Ltd have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach. That way, they could pro-actively protect their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents.
To collect such sensitive data without having the basic security controls in place breaches PII regulatory and Healthcare compliance requirements, never mind industry best practices. Dr Lal PathLabs were fortunate to have received warning from a benevolent security expert but we do not know how long the information has been exposed and what other actors may have gained access. The company has a responsibility to swiftly reach out to patients and inform them of these circumstances, including providing full details of their data exposed as well as offer guidance on next steps. Best practice for a breach like this would include offering Identity theft and fraud prevention services to those impacted individuals.
Breaches often happen when organisations are overwhelmed just as in this case. That\’s why it\’s critical to have secure processes and policies in place so that security is built into every day operations. Not using password protection, allowing everyone full access to sensitive data- this is breaking the fundamental rules of cyber hygiene. Employees should be educated on basic cyber security as well as the impacts that a breach can have on their organisation and the people they serve to avoid these situations. The UK government\’s Cyber Essentials scheme does a great job of outlining these fundamentals and can be used as a guide for any business.
Wow! Another day, another unprotected bucket of data. It\’s hard to fathom that a firm would leave unprotected data available on the web, especially in today\’s atmosphere of heightened security. But, it has happened again. While kudos are deserved for the company quickly securing the data once a security researcher tipped them off, the data should never have been left in an unsecured form.
Hopefully Dr Lal PathLabs\’ \”investigation\” will result in the responsible parties being disciplined, which is apparently what it will take for those responsible for data security to begin taking steps to ensure their customers\’ data is protected from prying eyes.