BETTER LATE THAN NEVER —
Post that reported 300,000 unsecured records is also subject of a criminal complaint.
The blogger behind a widely followed data-breach reporting service said an online counseling service has obtained an injunction barring her from publishing an article that went live five days earlier. The blogger says her article is also the subject of a criminal complaint.
The August 1 post on DataBreaches.net reported that a misconfigured Amazon Web Services bucket exposed more than 300,000 records relating to people who sought counseling-related services from 1to1Help. Writing under the pseudonym “Dissent,” the blogger said she first notified the company of the exposure on June 10. More than two weeks later, when the data still hadn’t been taken down, she said she began contacting multinational companies that had contracted with 1to1Help to notify them that their employees’ information was exposed. The reported also regularly notified parties of her deadline for publishing.
On July 4, the blogger reported, she finally received a response from a 1to1Help lawyer. The lawyer said the exposed data came from an archive that was older than five years. For the past three years, the lawyer said in a statement, the company encrypted sensitive data in a way that prevented even company administrators from accessing it. “This has data which is gathered from our website usage such as articles read, quizzes taken, various self-help resources used and only includes a small percentage of counselling [sic] information from the partial data,” the lawyer added.
On Wednesday, DataBreaches.net reported that Dissent received a packet of court documents issued a day earlier by a civil court in Bangalore, India. The packet claimed the court had issued an injunction against her August 1 article. The underlying lawsuit, Wednesday’s post also reported, is seeking an order requiring Domain People, the registrar used to register DataBreaches.net, to block the domain. The packet, Dissent told Ars, also included a copy of a criminal complaint.
Dissent didn’t publish the court papers and declined to send them to Ars for this post. She provided screen shots that showed some of the documents included in the packet. The cover letter shown below carries the subject “complaint regarding commission of the offenses relating to hacking of the website belonging to the complainant and records under Sec. 66 read with Sec. 43 of the Information Technology Act. 2000 and other offenses under Indian Penal Code 1860.”
Dissent denies hacking the site in any way. She also denies having tried to blackmail 1to1Help.
“I was going to publish the story,” she said. “It was just a question of how much they would tell me about what happened and when, etc. There was never any suggestion that I would not publish even though they didn’t want me to, of course.”
Wednesday’s report has understandably concerned researchers who sniff out data breaches.
“This is troubling,” Chris Vickery, Director of Cyber Risk Research at security firm UpGuard, wrote on Twitter. “I have known and communicated with @PogoWasRight [Dissent’s Twitter handle] for several years now. There is no doubt in my mind that she has acted appropriately here. Having a foreign court issue an injunction against an already-published article is not good incident response by ‘1to1.'”
At best, there may be a language/culture barrier in play (as 1to1 is wrongfully claiming that a journalist stating a deadline for response should be construed the same way as a criminal’s extortion deadline).
At worst, 1to1 is fabricating details to the Indian court.
— Chris Vickery (@VickerySec) August 8, 2019
Representatives of 1to1Help didn’t respond to an email seeking comment for this post.