back to article Spin the wheel and find today's leaky cloud DB... *clack clack... clack* A huge trove of medical malpractice complaints

In what has become a depressingly common occurrence, the personal information of hundreds of thousands of people may have fallen into the wrong hands because yet another organization did not secure a cloud-hosted database. This time around, social media marketing house xSocialMedia has been accused of failing to set up proper …

  1. Anonymous Coward
    Anonymous Coward

    But the cloud is safe and secure...

    As someone who is a bit of an expert in 'Big Data' and working with clients on their Cloud Strategy, I always hear how Hadoop is dead and everyone is moving to the cloud. How the cloud is secure.

    The truth is yes... AWS who has been around the longest does have a list of security pluses. If you know what you're doing you can put stuff on AWS and it will be secure.

    However : This isn't the norm. Meaning that most who jump to the cloud, get their AWS certification can still mung up the works by failing to properly secure their environment. All it takes is one developer or someone not thinking to open up the door ... When you go on Prem, you have a team of people responsible and the developers usually don't have the level of access to open the door to a breech. (YMMV and this is outside of phishing attacks.)

    This is yet one more on the list of breaches that could have been avoided.

    1. Richard 12 Silver badge

      Re: But the cloud is safe and secure...

      If nothing else, on-premises has the advantage of automatically being defended by the rest of the corporate network.

      You have to make deliberate changes to make anything available outside the corporate network and thus are unlikely to do it by accident.

      Cloud is outside, and exposed to the world by default. It rains on everyone, and everyone can see them from miles away.

      1. Michael Wojcik Silver badge

        Re: But the cloud is safe and secure...

        If nothing else, on-premises has the advantage of automatically being defended by the rest of the corporate network.

        Considerable evidence shows that this is feeble protection, and steadily becoming less useful. Medium and large corporations typically have a huge public network attack surface and weak internal defenses, even the ones running IDS/IPS. Active monitoring and behavioral analytics help, but relatively few organizations use them. Even automated attacks can frequently perform pivot-and-escalate maneuvers once inside the perimeter, and a dedicated attacker nearly always can (see for example the history of the Hacking Team hack).

        You have to make deliberate changes to make anything available outside the corporate network and thus are unlikely to do it by accident.

        For most organizations this is simply not true. Internal devices that can make connections to the outside create potential tunnels into the network. That includes every employee who can run a browser and view external sites. BYOD and other portable devices often introduce new vectors without any interaction with or knowledge of IT. IT gets told to let managers connect their smartphones to the internal network when their on the premises, with no control over what apps are running on those phones. People sit in coffeeshops browsing arbitrary sites over unsecured HTTP on company laptops, then connect to the internal network over VPN, opening it to CSRF, XSS, and browser vulnerabilities.

        These are all commonplaces in the IT security community. There's nothing exotic about any of it.

        The "Egg Model" (hard on the outside, soft on the inside) of corporate network protection provides some defense, but not nearly as much as many people think.

  2. IGotOut Silver badge

    Not sure on the HIPPA bit

    Going by "Practitioners and other healthcare providers cannot release any identifying information about their patients without written permission." I'm not sure this applies, as it is not the professional bodies that have "lost" this info, as it was the victims themselves that supplied the info to a 3rd party who then lost it.

    Now if the USA wasn't so corrupted by big business, they may get some decent laws to cover this, but no doubt they'll just end up with another years free credit checking.

    1. Ian Michael Gumby

      @IGotOut Re: Not sure on the HIPPA bit

      HIPPA is written not only that you can't release patient information without consent, but that you have an obligation to protect said information.

      Meaning that if you have a breech, you can be sued and the burden is on you to show that you followed best practices to secure the data.

      This is where the lawyers come in...

      To make it even more confusing... you'd have to also show why placing the data in the cloud was a good idea in the first place.

      I don't know of any lawsuits that have gone to trial over HIPPA data leaks. There are also other laws regarding privacy of data in general, not just HIPPA that protect your data and your rights.

      IANAL, just have had to deal with them over the years over contracts and other stuff.

  3. Kevin McMurtrie Silver badge

    Again, no need for password

    It sounds like a phishing and referral scam site left the database open because, why not?

  4. Christoph

    Option for nasty revenge

    Log on to this type of site as someone you don't like, enter all sorts of embarrassing details, and wait for it to leak.

  5. Tromos

    Today's lesson is:

    Never click a facebook ad.

    1. Doctor Syntax Silver badge

      Re: Today's lesson is:

      Today's and everyday's.

    2. Ian Michael Gumby

      Re: Today's lesson is:

      You are on facebook?

      That's the first lesson. Learn to say no to FB.

  6. Doctor Syntax Silver badge

    It's high time personal data handling was treated similarly to financial services and other professions. Above some minimum combination of volume and sensitivity businesses should be licensed and subject to spot checks. Maybe a requirement for individuals in senior management to be licensed. Unlicensed businesses and their operators fined heavily. The boards of businesses that are wound up or go into Chapter 11 etc. and thereby avoid fines face imprisonment. GDPR goes so far but only catches offenders after complaints. There's a need for enforcement to be pro-active.

    1. GnuTzu

      Fines, Fines, Fines, Fines...

      Yes to mandatory standards compliance with the teeth to make it stick.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like