SafetyDetectives recently reported that Breastcancer.org has been exposing sensitive information in a misconfigured AWS bucket. According to their report, exposed data included more than 50,000 registered user avatars and more than 300,000 post images with EXIF data. Some post images featured�sensitive content�that felt as though it was intended for private viewing. For example, there were results from medical tests and images of nudity (most likely taken for medical purposes) included among the files � contents that a user would not typically post publicly. The data may have been exposed for years. record more on SafetyDetectives. One point that wasn’t clear from SafetyDetectives’ account was whether the bucket had been secured. SafetyDetective started reaching out to BreastCancer.org in November of 2021. They describe their multiple efforts but no consequence was reported. DataBreaches reached out to SafetyDetectives and received the following reply: … unfortunately the bucket is relieve unsecured, we tried reach the organization several times to different email addresses (including their privateness email, CEO, and basically all the people on their about page), we even reached out via social media (we tried reaching them publishing a post, because they don’t accept private messages), but they haven’t reply back. We reached out to the US CERT but they didn’t reply and AWS did reply, but the thing is that they cannot actually secure the bucket, but to narrate the owner that they need to secure it. We published our account hoping that they would reach out to us to secure it but they haven’t gotten indorse to us yet. So more than 5 months after responsible revelation attempts began, the bucket was still unsecured. DataBreaches reached out to BreastCancer.org through their website middleman form, and like SafetyDetectives, got no reply. DataBreaches left them a back message on their site telling them that we would be reporting in 48 hours and to ringlet down their data.� There was no reply and the bucket was not secured. at 8:00 am this morning, DataBreaches left a voicemail on their office phone. It reiterated that people had been notifying them for months but they had failed to lock down their Amazon storage bucketful and that DataBreaches would be reporting on it this afternoon. still nothing, it seems. The organization’s privacy policy page contains this statement: How We Protect Your information We utilisation reasonable and appropriate administrative, technical, and physical safeguards to protect the information that we make about you from loss, theft, and unauthorized use, access, modification, or destruction. We also command third-party service providers acting on our behalf or with whom we apportion your info to maintain certificate measures in accordance with industry standards. Although we hold certificate safeguards in place, we cannot insure absolute security in all situations. If you hold any questions about our security practices, please middleman us as described in the �Contact Us� section. For your own security, please make not send any confidential personal information to us outside of our Services. It is also important that you maintain the certificate and control of your account credentials, and not portion your parole with anyone. exclude that they don’t answer to contacts. pa regulators need to look into both the lack of security and BreastCancer.org’s failure to respond to repeated notifications that they were exposing personal and sensitive information. If you wishing to middleman the pa attorney General’s Office to file a consumer complaint, you can happen info and an online complaint pattern linked from here. If anyone has a contact at BreastCancer.org or has influence with them, perhaps you could reaching out, contact them, and tell them to interlock down all that sensitive information already! And if you ever used their site and shared personal and/or sensitive data, perhaps you should tangency them and demand that they secure your data.
