[HN Gopher] Covid Test Data Breach: 1.3M Patient Records Exposed...
___________________________________________________________________
Covid Test Data Breach: 1.3M Patient Records Exposed Online
Author : t0bia_s
Score : 154 points
Date : 2024-01-30 15:32 UTC (7 hours ago)
(HTM) web link (www.vpnmentor.com)
(TXT) w3m dump (www.vpnmentor.com)
| manzanarama wrote:
| I feel frequent data leaks, credit card number leaks, difficulty
| in un-subscribing or stopping payments after subscribing, etc...
| makes me appreciate and want to use consolidated sign in /
| subscription management / payment management options almost
| exclusively.
| bryanlarsen wrote:
| Until there's a breach of the SSO providers, like the Okta
| incident.
| gunapologist99 wrote:
| Okta, Lastpass, Jumpcloud, Authy, Auth0..
|
| the list of hacked SSO providers gets longer by the day.
| anononaut wrote:
| DIY or die
| toyg wrote:
| It's a bit like keeping money... You can stash it under your
| mattress, hoping you'll never suffer a burglary; or you can
| give it to a bank, and let them spend money on security and
| insurance.
|
| This said, banks have specific fiduciary responsibilities and
| the above-mentioned insurance, which compensate for the big
| target they're painting on their own backs; whereas most tech
| services, even massive ones, tend to hide behind service
| agreements boiling down to "eh, if it happens it happens,
| nothing we can do, sucks to be you". Unless they're in
| healthcare, they're barely required to disclose whether they've
| been breached, let alone compensate us for the loss of privacy
| and increased risk of identity fraud that we endure.
|
| Maybe it's time for the legislator to define "personal data
| providers" a bit more rigorously.
| thfuran wrote:
| >and increased risk of identity fraud that we endure.
|
| The problem is even worse than that. The whole framing of the
| issue of identity theft as a thing that happens to a person
| rather than a bank is problematic. That the bank issued
| credit in my name to someone other than me really should be
| entirely their problem, not one that probably messes up my
| life for years.
| systems_glitch wrote:
| Yeah those services offering one-time or service/vendor
| specific CC #s for total management are probably going to have
| a bright and profitable future.
| phpisthebest wrote:
| Until the banks, and credit card companies just offer the
| services themselves for cheaper... Like Capital One and I
| think Discover are already doing
| systems_glitch wrote:
| Yeah but the banks will screw it up somehow :P
| staplers wrote:
| Capital One had per-transaction CC#'s for a bit but
| eventually just went to a single "virtual card" number.
| phpisthebest wrote:
| I have taken to using a single card in person, and a single
| card online. The Card on use online is also a Capital One
| account so I make use of their Eno service to make virtual
| cards for every vendor
|
| If some company does not want to unsub me, I just turn off that
| virtual card.
| Modified3019 wrote:
| I do the same with privacy.com, along with a unique email via
| fastmail's masked email feature.
| 2OEH8eoCRo0 wrote:
| Apple can be hacked like anyone else.
| Retric wrote:
| Shared passwords place you at risk if any of serval services
| are hacked. Password managers provide similar convenience
| with a smaller attack surface.
|
| I've defaulted to picking random passwords for most services
| which I don't bother to remember instead using password
| resets. But it's inconvenient.
| ipaddr wrote:
| I like the approach but some places lockup functionality
| after resets. Been burned too often.
| spookie wrote:
| Yeah, I just randomize mine and keep all of that local.
| It's a bit strange seeing people doing the same, but over
| the wire though.
| shiandow wrote:
| That doesn't do much to protect you against a website storing
| government mandated passport information. The only protection
| there would be if authorities stop demanding that everyone
| takes copies of personal IDs.
| staplers wrote:
| if authorities stop demanding that everyone takes copies of
| personal IDs
|
| They're actually considering the opposite for social media.
| hhh wrote:
| No it's not. Some of the stuff https://decodeproject.eu/ has
| been working on seems apt for this, specifically the
| attribute based credentials stuff.
| systems_glitch wrote:
| Yeah, when did that become acceptable?! I've had a bunch of
| sites request a photo or scan of my state-issued driver's
| license, like that's just OK to ask people to send to them.
| hhh wrote:
| When courts started requiring it.
| hosteur wrote:
| Banks KYC practices normalized this.
| systems_glitch wrote:
| I have no problem showing ID to my local bank though.
| They at most photocopy it and put it in a paper file,
| which maybe goes into Docstar or something. I don't trust
| $big_tech_site to actually a) do a good job securing it
| and b) not just sell the information to someone anyway.
|
| It's silly. AT&T wanted it from me to add a phone on a
| business account that was shipping to our physical
| address, which has not ever changed since the account was
| opened. eBay wanted it (and my SSN! and my wife's!)
| despite our account being a business account registered
| with an EIN and connected to a business bank account.
| Instagram/Facebook/Meta/whatever wanted it to reactivate
| a dormant account that talked to a still-valid email
| address to which I had access.
| hiccuphippo wrote:
| Yes. Why wait to get p0wn3d one account at a time when they can
| p0wn all your accounts at once.
| FrustratedMonky wrote:
| Not US Gov.
|
| -> ""The exposed certificates and other documents were all marked
| with the name and logo of Coronalab.eu. Although the website
| appears to be offline, Coronalab is owned by Microbe & Lab, an
| ISO-certified laboratory based in Amsterdam, Netherlands.
| According to the NL Times, "CoronaLab is one of the two largest
| commercial test providers in the Netherlands".""
| TriangleEdge wrote:
| > ... a non-password protected database that contained nearly 1.3
| million records ...
|
| Breach is not the word I would use here.
| RockRobotRock wrote:
| if you forgot to lock your front door, and your TV was gone,
| does that count as burglary?
| ipaddr wrote:
| Don't have a front door and an open diary was copied with
| personal info?
| Manfred wrote:
| Acquiring something that isn't your property is not legal in
| most countries. It's not really relevant if it's behind a
| door.
| TheCapn wrote:
| And accessing a computer system without proper
| authorization is often illegal. So I'm not sure what point
| you're making.
| pizzafeelsright wrote:
| It's negligent on the api side.
| AndrewJajack wrote:
| During the height of COVID, I was exploring the API design of the
| top-selling COVID tests on Amazon. Several had wildly unsecured
| APIs--sequential patient IDs but the results endpoint assumed
| knowing the "secret" patient ID counted as auth. Or just
| completely open GraphQL implementations, no different than a
| password-less db...
|
| For anyone considering DIYing a diagnostics program, don't. But
| I'm biased (I'm the founder of a YC-backed diagnostics as a
| service co: https://spotdx.com)
| radicalbyte wrote:
| I was working for the NL government on COVID stuff and the only
| thing I can say is that it's a shame I'm under NDA. It changed
| my view of the tech industry and I feel silly for calling
| colleagues in the past out for what I consider inadequate
| practices. As all were _far_ above the mean.
| gattilorenz wrote:
| Weren't CoronaCheck and CoronaMelder open source? I would
| have assumed plenty of people would audit them, but I don't
| recall seeing any negative news (jokes on their availability
| aside)
| radicalbyte wrote:
| Yeah they're open source and they're great (I worked on
| both). We put a lot of effort into making them into
| excellent examples.
|
| My original post is referring to other things outside of
| the Ministry.. My role was deep and broad so I got to see a
| lot.
| YeBanKo wrote:
| I am surprised there isn't some law in NL that would allow
| you to expose it either to the public or maybe at least to
| MPs and not be bound by NDA.
| radicalbyte wrote:
| Oh our apps were fantastic - an awesome example of what
| happens when you have top tier technical management
| combined with skilled technical people.
|
| Only during the process you get exposure to a lot of
| _other_ things (and a _lot_ of that is not government).
| amluto wrote:
| The fact that at-home tests had an API of any sort was already
| a major screwup IMO.
| dankwizard wrote:
| Imagine using diagnostics as a service in a sentence with a
| straight face LOL
| VadimPR wrote:
| I've gotten myself tested by a lab in Amsterdam a few times. What
| do I do now?
|
| I'm in the industry and even I don't have an actionable course to
| take.
| zooq_ai wrote:
| What should you do? Thank your lucky stars that you live such a
| privileged life that you can feel outraged about things that
| absolutely don't matter
| _heimdall wrote:
| Is anyone actually surprised? Everything was thrown together in a
| huge hurry and governments were playing fast and loose with laws
| and regulations.
|
| I'm making no judgement on whether that approach was a net
| positive or negative here, but the writing was on the wall from
| day 1 with regards to data security.
| m463 wrote:
| It seems that anyone entrusted with private information will
| eventually be breached. I think that there should be legislation
| - strong legislation - that protects our society's individuals
| and their information. Make it an uncomfortable and costly
| responsibility to collect information, store it temporarily and
| long-term.
|
| Additionally, connecting devices to the internet directly or
| indirectly should have the same sorts of responsibilities.
| lr1970 wrote:
| We should have well defined mechanisms for sunsetting and
| destroying data.
___________________________________________________________________
(page generated 2024-01-30 23:01 UTC)