Report: Unsecured AWS Bucket Leaked Cancer Website User DataResearchers Say Nonprofit's Data Exposure Affects Tens of Thousands
Researchers say an unsecured Amazon Web Services S3 bucket belonging to a nonprofit cancer organization has exposed to the internet sensitive images and related data of tens of thousands of individuals. The mishap is the latest health data-related incident involving misconfigured information technology.
The exposure involved data belonging to Ardmore, Pennsylvania-based Breastcancer.org, a nonprofit online community and information resource, according to the researchers. In 2021, Breastcancer.org received more than 69,000 visits a day, more than 2.1 million visits each month, and more than 25 million total visits, the organization says on its website.
Data exposed on a Breastcancer.org S3 bucket included website users' avatar images and exchangeable image file - or EXIF - data and was discovered last November by researchers at security firm SafetyDetectives, which issued a report about its findings this week.
The Breastcancer.org AWS S3 bucket was left publicly available without any authentication controls in place, the research report says.
SafetyDetectives says the Breastcancer.org AWS S3 bucket appears to have been secured on Wednesday, following multiple attempts by the firm's researchers since November to notify Breastcancer.org about the problem.
"We discovered Breastcancer.org's unsecured bucket on Nov. 11, 2021. It contained files dating back to April 2017, though filenames suggest some of these images date back to 2014 and were migrated to the bucket in 2017. We saw recent files on the bucket, too, dated mid-November 2021. This suggests the bucket was still in use when we found it," SafetyDetectives says.
"On Nov. 17, 2021, we messaged Breastcancer.org regarding its data exposure. We sent another message to both newly found and previously contacted people from the organization on Nov. 21, 2021. We didn’t receive a reply and on Dec. 14, 2021 we sent further messages to AWS, the U.S. Computer Emergency Response Team, and additional Breastcancer.org employees regarding this data exposure," the researchers say.
SafetyDetectives estimates that at least 50,000 Breascancer.org website users' data was exposed on the unsecured AWS bucket.
"It is important to note that Amazon doesn’t manage Breastcancer.org's bucket and this misconfiguration is not Amazon's responsibility," the report says.
The SafetyDetectives report says that Breastcancer.org's unsecured bucket exposed over 350,000 files, totaling about 150GB of data. The bucket exposed the sensitive images of Breastcancer.org's website users. The two separate datasets exposed in the organizations' bucket included user avatars and post images.
User avatars are profile pictures taken from the accounts of Breastcancer.org users. The bucket contained over 50,000 user avatars. Many of the avatars featured images of registered users, the report says.
"While this is publicly available information, user avatars could be used in conjunction with EXIF data to identify vulnerable users," SafetyDetectives says.
Post images were also uploaded to Breastcancer.org by its users. The bucket contained over 300,000 post images, and EXIF data was attached to each post image, SafetyDetectives says. EXIF data exposes numerous details about the format of an image and the context in which it was captured, including devices details and GPS location of captured images.
"Some post images featured sensitive content that felt as though it was intended for private viewing," SafetyDetectives says. "For example, there were results from medical tests and images of nudity - most likely taken for medical purposes - included among the files, contents that a user would not typically post publicly."
The researchers also found that images contained in user accounts that had been uploaded to Breastcancer.org's site from private messages were also exposed.
"Breastcancer.org reaches users around the world and we’d expect there are a significant number of American and European users with images on the bucket," the report says.
Breastcancer.org in a statement provided to Information Security Media Group says it is actively working with its privacy and legal teams to investigate the issue.
"We have taken immediate action to address any potential security risk to Breastcancer.org and our community members' information by disabling the ability to view and upload images as an initial step," the statement says.
"Once we have further information on the issue and a more user-friendly resolution, we will resume members' ability to view and upload images and avatars. We have notified our Breastcancer.org community members by email, community announcements, and on our media page."
Breastcancer.org adds that its investigation is ongoing, so it does not yet know the number of affected individuals. "We are aware of reports of third-party reports about the estimated number of individuals having likely been impacted, but it is important to note that those reports are based on the number of publicly available avatars, not registered website users or the content those users uploaded."
The Breastcancer.org incident comes in the wake of similar health data exposures involving misconfigured cloud systems and other IT.
For instance, last October, an unsecured Amazon Web Services database belonging to India's Dr Lal Path Labs, which offers diagnostic testing, was found exposing approximately 50GB of patient data, including notes related to the results of COVID-19 tests, according to an Australian security researcher (see: Unsecured AWS Database Left Patient Data Exposed).
Last June, a researcher issued a report about discovering an unsecured database containing over 1 billion records related to CVS Health website visitor activity (see: Researcher: 1 Billion CVS Health Website Records Exposed).
Some experts say the Breastcancer.org data leak spotlights too-common security issues among many healthcare sector entities and their vendors.
"I see several significant areas of risk for healthcare organizations and their business associates as they move from controlling their own computer operations and local networks to a hybrid or fully cloud-based environment," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"First is the shift to a shared environment. Boundaries and specific responsibilities of the vendor versus the customer may not be clear to the healthcare entity; staff may assume that the platform vendor, such as AWS, is managing aspects of security that are the customer's duty," she says.
Another related risk is that staff trained in securing traditional technical environments may not have the skills needed to understand and properly manage security in the cloud, she says. "These issues are exacerbated by the fact that many small and medium-size organizations do not have dedicated security professionals," Borten adds.
"Healthcare organizations' leadership must recognize that operating in the cloud brings both benefits and costs - a main cost being in-depth staff training and/or subcontracting cloud and even cloud-specific, such as AWS, Azure, etc., security specialists."
Rebecca Herold, CEO of consulting firm Privacy & Security Brainiacs, a SaaS services company, says multiple factors are contributing to the rash of security incidents involving misconfigurations and similar issues.
"I’ve seen in recent years a degradation of secure applications development, coding practices and procedures - often nonexistent - to make associated administrative changes in production environments," Herold says, adding that in the rush to make quick changes, there is also insufficient testing.
"Many, perhaps most now, are simply testing to ensure that expected actions work correctly, and they are not testing for those actions that are outside of the acceptable inputs. Those unacceptable types of actions are what the hackers, crooks, nation-state cyberattackers, and ethical hackers and researchers who discovered these vulnerabilities are going to try, and often will very easily be able to exploit," she says.
On the other hand, thorough testing prior to putting a system into production would help discover misconfigurations, a lack of authentication controls and other issues, she says.
"Those basic, elementary controls should have existed within what should be a rigorously safeguarded system, especially one used by millions of people.”
Entities that are using AWS buckets also need to ensure that the individuals in the roles of bucket administrators have clearly documented, detailed procedures that they must follow to ensure these types of vulnerabilities do not occur, Herold adds.
"They should include the testing changes that would have caught these types of vulnerabilities. This applies even, and especially, to those third parties that are often contracted to do such administrative activities on an entity's AWS buckets."