"Repeated data leak offender" - Looking for contacts in Malaysia
This #leak is a really weird story and I am looking for help in #Malaysia.
If I were in the medical business, I would be very careful about what pictures of my customers I store longterm. And there would be tons of safeguards before I would allow them to be stored in a bucket (#Microsoft #Azure #Blob in this case). At the very least I would make sure that the Blob IS NOT world readable and world indexable. Should this ever happen to me, I would be so deeply ashamed that this shame would eternally prevent me from doing the same mistake again. Doing this over and over again takes the approach to IT security and privacy protection to a new low.
This brings us to BP Healthcare, a Malaysian healthcare giant that runs a multitude of businesses in that country. This includes online health services, laboratories, pharmacies, dental clinics, eye centers and much, much more. According to their own publications, they serve 35 million customers. Furthermore they seem to rely heavily on cloud services.
While other data leaks (at least four we know of) inside the sprawling empire of BP Healtcare since April 2019 were mostly fixed in a timely fashion (but without ever acknowledging the problem or answering at all), we currently see no less than three Azure blobs with a gigantic amount of data on which (even though the security researcher inquired multiple times) no action is forthcoming.
The data includes
- One Blob with 1.5 million prescriptions, receipts and invoices
- One Blob with 1.7 milltion invoices for healthcare services
- One Blob with 1.8 million assorted documents
The last blob is the most critical as it seems tied to a medical service provided via chat. The blob contains (among other) things images customers uploaded to show their medical problems. Naturally this includes their customers being in varying state of undress. Surprisingly, a lot of the telemedicine chats involved named patients seeking diagnosis or treatment for sexually transmitted diseases.
We are looking for a government agency (or contact in the technical press) that would take a long hard look at all the ITZ operations of BP healthcare. The fact that we see the same problem occurring again and again worries us deeply. Sometimes it is even the same subsidary that is having the same problem. Furthermore they are exposing the most intimate information about the customers. There are several warning signs, that the trouble may run deeper than just these leaks.
Closing remark: I usually do a PostMortem of the data leak including the URL of the leak that was closed. This will not happen in this case. Even a first glance at the cloud infrastructure paints a worrying picture and we are not confident that they will not reopen (assumed they close it in the first place) the leak at some point in the future. Thererefore I will abstain from naming it in the report.
