Expert Comments

Experts On Millions Of Records Belonging To Medical Testing Firm Found Exposed Online

Expert(s): Security Experts
Expert(s): Security Experts

Dr Lal PathLabs, one of the largest lab testing companies in India, left a huge cache of patient data on a public server for months, TechCrunch has learned. The lab testing giant, headquartered in New Delhi, serves some 70,000 patients a day, and quickly became a major player in testing patients for COVID-19 after winning approval from the Indian government. But the company was storing hundreds of large spreadsheets packed with sensitive patient data in a storage bucket, hosted on Amazon Web Services (AWS), without a password, allowing anyone to access the data inside.

Experts Comments

Dot Your Expert Comments
Sergio Lourerio
October 12, 2020
Cloud Security Director
Outpost24

companies using AWS for analytics or big data projects and making careless mistakes in the misconfiguration
This is another case of sensitive data on AWS buckets being left wide open on the internet, with little to no security. We’ve seen this time and time again - companies using AWS for analytics or big data projects and making careless mistakes in the misconfiguration. To prevent this scenario companies must ensure they have the security process and controls in place to assess and be alerted of potential misconfigurations on a continuous basis.
Warren Poschman
October 12, 2020
Senior Solutions Architect
comforte AG

Another week, another AWS misconfigured server.
Another week, another AWS misconfigured server. It is clear that those that choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of AWS, ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look like security is not being taken seriously enough. Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional .....Read More
Another week, another AWS misconfigured server. It is clear that those that choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of AWS, ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look like security is not being taken seriously enough. Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT. Clearly, Dr. Lal PathLabs Ltd have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach. That way, they could pro-actively protect their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents.  Read Less
Niamh Vianney Muldoon
October 12, 2020
Senior Director of Trust and Security, EMEA
OneLogin

Dr Lal PathLabs were fortunate to have received warning from a benevolent security expert.
To collect such sensitive data without having the basic security controls in place breaches PII regulatory and Healthcare compliance requirements, never mind industry best practices. Dr Lal PathLabs were fortunate to have received warning from a benevolent security expert but we do not know how long the information has been exposed and what other actors may have gained access. The company has a responsibility to swiftly reach out to patients and inform them of these circumstances, including.....Read More
To collect such sensitive data without having the basic security controls in place breaches PII regulatory and Healthcare compliance requirements, never mind industry best practices. Dr Lal PathLabs were fortunate to have received warning from a benevolent security expert but we do not know how long the information has been exposed and what other actors may have gained access. The company has a responsibility to swiftly reach out to patients and inform them of these circumstances, including providing full details of their data exposed as well as offer guidance on next steps. Best practice for a breach like this would include offering Identity theft and fraud prevention services to those impacted individuals.  Read Less
Jamie Akhtar
October 12, 2020
CEO and Co-founder
CyberSmart

Breaches often happen when organisations are overwhelmed just as in this case.
Breaches often happen when organisations are overwhelmed just as in this case. That's why it's critical to have secure processes and policies in place so that security is built into every day operations. Not using password protection, allowing everyone full access to sensitive data- this is breaking the fundamental rules of cyber hygiene. Employees should be educated on basic cyber security as well as the impacts that a breach can have on their organisation and the people they serve to avoid.....Read More
Breaches often happen when organisations are overwhelmed just as in this case. That's why it's critical to have secure processes and policies in place so that security is built into every day operations. Not using password protection, allowing everyone full access to sensitive data- this is breaking the fundamental rules of cyber hygiene. Employees should be educated on basic cyber security as well as the impacts that a breach can have on their organisation and the people they serve to avoid these situations. The UK government's Cyber Essentials scheme does a great job of outlining these fundamentals and can be used as a guide for any business.  Read Less
Chris Hauk
October 12, 2020
Consumer Privacy Champion
Pixel Privacy

Wow! Another day, another unprotected bucket of data.
Wow! Another day, another unprotected bucket of data. It's hard to fathom that a firm would leave unprotected data available on the web, especially in today's atmosphere of heightened security. But, it has happened again. While kudos are deserved for the company quickly securing the data once a security researcher tipped them off, the data should never have been left in an unsecured form. Hopefully Dr Lal PathLabs' "investigation" will result in the responsible parties being disciplined, which .....Read More
Wow! Another day, another unprotected bucket of data. It's hard to fathom that a firm would leave unprotected data available on the web, especially in today's atmosphere of heightened security. But, it has happened again. While kudos are deserved for the company quickly securing the data once a security researcher tipped them off, the data should never have been left in an unsecured form. Hopefully Dr Lal PathLabs' "investigation" will result in the responsible parties being disciplined, which is apparently what it will take for those responsible for data security to begin taking steps to ensure their customers' data is protected from prying eyes.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

15 Schools Hit By Cyberattack In Nottinghamshire

Qualys Hit With Ransomware And Customer Invoices Leaked

Experts Reaction On PrismHR Hit By Ransomware Attack

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And...

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords