For doing the company the favor of informing it about a leaky AWS bucket exposing sensitive counseling records of 300,000 Indian employees, the company — 1to1Help — has filed a criminal complaint against the person who brought the situation to its attention.
In the middle of May, a researcher came across the exposed data and informed Dissent Doe of DataBreaches.net about their findings. After verifying the leak, Dissent Doe began trying to contact 1to1Help to inform it of the leak. No response was received until over a month later, possibly prompted by Dissent Doe contacting a large American company that was a customer of 1to1Help.
The slow response was blamed on internal email routing. Here’s some of what was seen in the exposed bucket:
In looking at the plaintext counseling logs, I saw counseling logs for employees of Cognizant, IBM, HP, Capgemini, Dell, Oracle, and Microsoft.
There was more than 280,000 records in the users’ table, and more than 300,000 records, total, in the exposed bucket. As of the time of this posting, we have not been told for how long the bucket was exposed. Nor do we yet know how many unique IP addresses may have accessed and/or downloaded the data. What we do know is that contact information for employees of business and financial sector firms was freely available — as was sensitive information for some of them that might be used by miscreants for spearphishing or even extortion.
Data on employees included their first and last names, their username, their email address, their password (in plaintext in some tables), their telephone number, IP address, gender, and their relationship status.
Keep in mind that 1to1Help is a counseling firm that provides mental and physical health services to customers. That gives you some idea just how sensitive this information is, especially when bundled with the usual PII and personal email addresses.
The contact person at 1to1Help sent an email detailing the steps the company had taken, as well as preventative measures deployed to prevent further leaks in the future. Unfortunately, 1to1Help’s Anil Bisht also tried to talk Dissent Doe out of writing about this leak.
As a small India based business (where there is no 911 support for threats and suicides, and where until recently suicide was criminalized) it has been an uphill battle to popularize and gain acceptance for counselling. By publishing specifics, this would bring about a general mistrust and discourage employees from reaching out to counselling firms such as ourselves. This in turn would be detrimental to the users and may even lead to loss of life. We cannot emphasize the impact of this enough.
We once again thank you for your time in interacting with us and respect that your interest is in safeguarding the users. May we once again request you to desist from publishing & securely delete any user data that you may have.
Doe refused, stating that she would not be covering up the leak. Nor would she delete the data until full disclosure was made by 1to1Help.
Because of this refusal to cover up 1to1Help’s screw-up, the company has decided to take legal action against Doe and her site by filing a criminal complaint in India. It has already managed to secure an injunction against the site forbidding it from publishing… an article that has already been published.
The injunction was issued by a civil court in Bangaluru on August 6th — five days after I published my report on the leak. The plaintiffs are seeking a permanent injunction that would bar me and my site:
– from disclosing, publishing or broadcasting the schedule data or any part thereof; and
– from publishing or broadcasting any report or article on the breach of the schedule data as threatened (sic) in their emails dated 11/06/2019, 14/07/2019 and 30/07/2019 addressed to the plaintiff;
The suit also seeks to direct Domain People to block the website of DataBreaches.net.
As Doe notes, it appears 1to1Help’s lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.
Second, the lawyers claimed Doe’s site was “rogue,” due to it containing no contact information for Doe. They were either wrong or lying, as Doe’s site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.
Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That’s called journalism, not blackmail, and either its lawyers can’t comprehend that or willfully misportrayed this extremely common process to the court.
The problem isn’t the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.
This leak was not the fault of databreaches.net or the researcher who found it and provided data to this site. This leak was the responsibility of the entity responsible for securing the data properly but who did not encrypt it, who failed to detect their own error, and who then ignored multiple attempts to notify them that they had a leak.
What if I hadn’t persisted in trying to notify them? Their filing notes that they were contacted by a client on June 27. Whom do you think notified that client? It was this blogger and this site — still trying to get 1to1Help.net to address the leak. Not to toot our own horn, but if it wasn’t for this site’s persistence, they’d still be exposing sensitive data that the whole world could be downloading. And yet the company wants me charged criminally and got an injunction to try to censor me from reporting on their security incident?
This is far too common a response and it’s certainly not limited to India, where the legal system is often used to target speech complainants don’t like. Doe resides in the United States, so the First Amendment protects everything she’s written, even from a company halfway around the world that doesn’t like its lax security discussed in public.