Dr Lal PathLabs reportedly left sensitive data of millions of users on a public server, allegedly allowing anyone to access this information, in a major security lapse. The lab testing company is one of the largest in India and has received approvals from the Indian government for testing COVID-19 patients as well. The firm was reportedly storing hundreds of spreadsheets in a public storage bucket hosted on Amazon Web Services (AWS), until it was informed of the security lapse by an expert. This storage bucket could be accessed by anyone without the need for a password. The spreadsheets contained sensitive information like patient name, address, phone number, among other things.
TechCrunch reports that Australia-based security expert Sami Toivonen first discovered this sensitive data last month, and he immediately reported this lapse of security to Dr Lal PathLabs. While the company took the necessary measures to shut down access to the storage bucket, it did not respond to Toivonen, according to the report. There is no clarity on how long this data was public, but it gave access to all of the sensitive patient information – to anyone who wanted it.
Toivonen told the publication that the exposed storage bucket had millions of individual patient booking information. The hundreds of spreadsheets that were stored on the AWS public server had information like patient's name, address, gender, date of birth, phone number, and details of the test that the patient is taking. Some of the bookings even had information on test result, for instance, if a patient had tested COVID-19 positive or not.
“I'm glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors.I was also a little surprised that they didn't respond to my responsible disclosure,” Toivonen told the publication.
Apart from not acknowledging Toivonen, Dr Lal PathLabs has also not offered any public announcement of this data breach. There is also no clarity on whether the organisation has informed the affected patients or not. This little lapse is a prime example of how complacent large organisations still are with storing sensitive information online. Companies, especially the big ones, need to be aware and educated of how to securely store user data on servers.
How to find the best deals during online sales? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.