Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak
from the thanks-for-the-help!-they-sued dept
For doing the company the favor of informing it about a leaky AWS bucket exposing sensitive counseling records of 300,000 Indian employees, the company — 1to1Help — has filed a criminal complaint against the person who brought the situation to its attention.
In the middle of May, a researcher came across the exposed data and informed Dissent Doe of DataBreaches.net about their findings. After verifying the leak, Dissent Doe began trying to contact 1to1Help to inform it of the leak. No response was received until over a month later, possibly prompted by Dissent Doe contacting a large American company that was a customer of 1to1Help.
The slow response was blamed on internal email routing. Here’s some of what was seen in the exposed bucket:
In looking at the plaintext counseling logs, I saw counseling logs for employees of Cognizant, IBM, HP, Capgemini, Dell, Oracle, and Microsoft.
[…]
There was more than 280,000 records in the users’ table, and more than 300,000 records, total, in the exposed bucket. As of the time of this posting, we have not been told for how long the bucket was exposed. Nor do we yet know how many unique IP addresses may have accessed and/or downloaded the data. What we do know is that contact information for employees of business and financial sector firms was freely available — as was sensitive information for some of them that might be used by miscreants for spearphishing or even extortion.
Data on employees included their first and last names, their username, their email address, their password (in plaintext in some tables), their telephone number, IP address, gender, and their relationship status.
Keep in mind that 1to1Help is a counseling firm that provides mental and physical health services to customers. That gives you some idea just how sensitive this information is, especially when bundled with the usual PII and personal email addresses.
The contact person at 1to1Help sent an email detailing the steps the company had taken, as well as preventative measures deployed to prevent further leaks in the future. Unfortunately, 1to1Help’s Anil Bisht also tried to talk Dissent Doe out of writing about this leak.
As a small India based business (where there is no 911 support for threats and suicides, and where until recently suicide was criminalized) it has been an uphill battle to popularize and gain acceptance for counselling. By publishing specifics, this would bring about a general mistrust and discourage employees from reaching out to counselling firms such as ourselves. This in turn would be detrimental to the users and may even lead to loss of life. We cannot emphasize the impact of this enough.
[…]
We once again thank you for your time in interacting with us and respect that your interest is in safeguarding the users. May we once again request you to desist from publishing & securely delete any user data that you may have.
Doe refused, stating that she would not be covering up the leak. Nor would she delete the data until full disclosure was made by 1to1Help.
Because of this refusal to cover up 1to1Help’s screw-up, the company has decided to take legal action against Doe and her site by filing a criminal complaint in India. It has already managed to secure an injunction against the site forbidding it from publishing… an article that has already been published.
The injunction was issued by a civil court in Bangaluru on August 6th — five days after I published my report on the leak. The plaintiffs are seeking a permanent injunction that would bar me and my site:
– from disclosing, publishing or broadcasting the schedule data or any part thereof; and
– from publishing or broadcasting any report or article on the breach of the schedule data as threatened (sic) in their emails dated 11/06/2019, 14/07/2019 and 30/07/2019 addressed to the plaintiff;
The suit also seeks to direct Domain People to block the website of DataBreaches.net.
As Doe notes, it appears 1to1Help’s lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.
Second, the lawyers claimed Doe’s site was “rogue,” due to it containing no contact information for Doe. They were either wrong or lying, as Doe’s site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.
Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That’s called journalism, not blackmail, and either its lawyers can’t comprehend that or willfully misportrayed this extremely common process to the court.
The problem isn’t the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.
This leak was not the fault of databreaches.net or the researcher who found it and provided data to this site. This leak was the responsibility of the entity responsible for securing the data properly but who did not encrypt it, who failed to detect their own error, and who then ignored multiple attempts to notify them that they had a leak.
What if I hadn’t persisted in trying to notify them? Their filing notes that they were contacted by a client on June 27. Whom do you think notified that client? It was this blogger and this site — still trying to get 1to1Help.net to address the leak. Not to toot our own horn, but if it wasn’t for this site’s persistence, they’d still be exposing sensitive data that the whole world could be downloading. And yet the company wants me charged criminally and got an injunction to try to censor me from reporting on their security incident?
This is far too common a response and it’s certainly not limited to India, where the legal system is often used to target speech complainants don’t like. Doe resides in the United States, so the First Amendment protects everything she’s written, even from a company halfway around the world that doesn’t like its lax security discussed in public.
Filed Under: breaches, criminal complaint, dissent doe, india, leaks, reporting
Companies: 1to1help
Comments on “Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak”
Streisand Effect didn’t translate…
Lets try this…
रवीना टंडन प्रभाव
Re: Re:
i had to use Translate for that… but apparently the wikipedia page for Raveena Tandon has no mention at all of anything similar to the "Streisand effect".
I assume the "Tandon Effect" is something similar but the wikipedia page has been purged of all info about it?
Re: Re: Re:
Google hadn;t connected Babs to any similar thing in Bollywood, so I just searched for a scandal that they tried to cover up and rolled the dice.
But good on you for taking the time to decode the Hindi.
Typical
Doe – pounding on door and yelling "Your apartment is on fire!"
1to1 – "Thanks but please don’t tell the neighbors"
Doe – "No, that would be reckless and stupid"
1to1- "We’re calling the police to have you arrested for disturbing the peace and attempting to blackmail us by telling our neighbors that our apartment is on fire!"
Indian Court – "Not only shouldn’t you have told the neighbors about the fire, but you aren’t allowed to tell anyone else about it going forward!"
Based upon the reaction, I assume the data was exposed intentionally.
suicide was criminalized
I dont support suicide but are they really going to prosecute a corpse?
I don’t think they thought that law through.
Re: Re:
Probably not, but I assume they will go after third parties even if the third party had nothing to do with it.
Re: Re:
It might be that attempting suicide is criminalized, and they’ll prosecute you if you survive.
Or they might go after your next-of-kin with financial penalties.
Re: Re: Re:
Normally attempted suicide is criminalized to allow "protective" incarceration.
Re: Re: Re:
" It might be that attempting suicide is criminalized, and they’ll prosecute you if you survive."
Otherwise, just regular suicide charges?
Re: Re:
are they really going to prosecute a corpse?
The RIAA’s attempted that on multiple occasions.
Ah yes, shoot the messenger! Problem solved.
Indian Law
If the bloggers not in India what can they actually do about it>?
Re: Indian Law
Probably can’t do anything but who knows.
Automated Process
Perhaps a anonymous automated process should be developed where vulnerabilities can be reported to the company. Once the process begins the information is provided to the public after ten days (or whatever). The company can respond and the initial report can be deactivated in a variety of ways plus a general expiration of the report. That way the company can take action or not but at least the person who reports the issue doen’t have to take the risk that the company is run by idiots and/or assholes.
Re: Automated Process
They’d just sue whoever maintains the automated process, unfortunately.
Note: This post included a link to the Techdirt tag "shooting the messenger", yet does not include that self-same tag. Seems like an omission to me.
A reminder that it’s not just American courts that are steeped in corruption and incompetence.
Re: Re:
It’s the company that’s at fault, not the court. It’s not their fault the lawyers misled them.
SPEECH Act
SPEECH Act
I realize the SPEECH Act only specifically applies to libel, but I wonder if it would have an effect on civil court gag orders that would violate the first amendment?
https://en.wikipedia.org/wiki/SPEECH_Act