Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak
from the thanks-for-the-help!-they-sued dept
For doing the company the favor of informing it about a leaky AWS bucket exposing sensitive counseling records of 300,000 Indian employees, the company -- 1to1Help -- has filed a criminal complaint against the person who brought the situation to its attention.
In the middle of May, a researcher came across the exposed data and informed Dissent Doe of DataBreaches.net about their findings. After verifying the leak, Dissent Doe began trying to contact 1to1Help to inform it of the leak. No response was received until over a month later, possibly prompted by Dissent Doe contacting a large American company that was a customer of 1to1Help.
The slow response was blamed on internal email routing. Here's some of what was seen in the exposed bucket:
In looking at the plaintext counseling logs, I saw counseling logs for employees of Cognizant, IBM, HP, Capgemini, Dell, Oracle, and Microsoft.
[...]
There was more than 280,000 records in the users’ table, and more than 300,000 records, total, in the exposed bucket. As of the time of this posting, we have not been told for how long the bucket was exposed. Nor do we yet know how many unique IP addresses may have accessed and/or downloaded the data. What we do know is that contact information for employees of business and financial sector firms was freely available — as was sensitive information for some of them that might be used by miscreants for spearphishing or even extortion.
Data on employees included their first and last names, their username, their email address, their password (in plaintext in some tables), their telephone number, IP address, gender, and their relationship status.
Keep in mind that 1to1Help is a counseling firm that provides mental and physical health services to customers. That gives you some idea just how sensitive this information is, especially when bundled with the usual PII and personal email addresses.
The contact person at 1to1Help sent an email detailing the steps the company had taken, as well as preventative measures deployed to prevent further leaks in the future. Unfortunately, 1to1Help's Anil Bisht also tried to talk Dissent Doe out of writing about this leak.
As a small India based business (where there is no 911 support for threats and suicides, and where until recently suicide was criminalized) it has been an uphill battle to popularize and gain acceptance for counselling. By publishing specifics, this would bring about a general mistrust and discourage employees from reaching out to counselling firms such as ourselves. This in turn would be detrimental to the users and may even lead to loss of life. We cannot emphasize the impact of this enough.
[...]
We once again thank you for your time in interacting with us and respect that your interest is in safeguarding the users. May we once again request you to desist from publishing & securely delete any user data that you may have.
Doe refused, stating that she would not be covering up the leak. Nor would she delete the data until full disclosure was made by 1to1Help.
Because of this refusal to cover up 1to1Help's screw-up, the company has decided to take legal action against Doe and her site by filing a criminal complaint in India. It has already managed to secure an injunction against the site forbidding it from publishing… an article that has already been published.
The injunction was issued by a civil court in Bangaluru on August 6th — five days after I published my report on the leak. The plaintiffs are seeking a permanent injunction that would bar me and my site:
- from disclosing, publishing or broadcasting the schedule data or any part thereof; and
- from publishing or broadcasting any report or article on the breach of the schedule data as threatened (sic) in their emails dated 11/06/2019, 14/07/2019 and 30/07/2019 addressed to the plaintiff;
The suit also seeks to direct Domain People to block the website of DataBreaches.net.
As Doe notes, it appears 1to1Help's lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.
Second, the lawyers claimed Doe's site was "rogue," due to it containing no contact information for Doe. They were either wrong or lying, as Doe's site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.
Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That's called journalism, not blackmail, and either its lawyers can't comprehend that or willfully misportrayed this extremely common process to the court.
The problem isn't the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.
This leak was not the fault of databreaches.net or the researcher who found it and provided data to this site. This leak was the responsibility of the entity responsible for securing the data properly but who did not encrypt it, who failed to detect their own error, and who then ignored multiple attempts to notify them that they had a leak.
What if I hadn’t persisted in trying to notify them? Their filing notes that they were contacted by a client on June 27. Whom do you think notified that client? It was this blogger and this site — still trying to get 1to1Help.net to address the leak. Not to toot our own horn, but if it wasn’t for this site’s persistence, they’d still be exposing sensitive data that the whole world could be downloading. And yet the company wants me charged criminally and got an injunction to try to censor me from reporting on their security incident?
This is far too common a response and it's certainly not limited to India, where the legal system is often used to target speech complainants don't like. Doe resides in the United States, so the First Amendment protects everything she's written, even from a company halfway around the world that doesn't like its lax security discussed in public.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breaches, criminal complaint, dissent doe, india, leaks, reporting
Companies: 1to1help
Reader Comments
Subscribe: RSS
View by: Time | Thread
Streisand Effect didn't translate...
Lets try this...
रवीना टंडन प्रभाव
[ link to this | view in chronology ]
Re:
i had to use Translate for that... but apparently the wikipedia page for Raveena Tandon has no mention at all of anything similar to the "Streisand effect".
I assume the "Tandon Effect" is something similar but the wikipedia page has been purged of all info about it?
[ link to this | view in chronology ]
Re: Re:
Google hadn;t connected Babs to any similar thing in Bollywood, so I just searched for a scandal that they tried to cover up and rolled the dice.
But good on you for taking the time to decode the Hindi.
[ link to this | view in chronology ]
Typical
Doe - pounding on door and yelling "Your apartment is on fire!"
1to1 - "Thanks but please don't tell the neighbors"
Doe - "No, that would be reckless and stupid"
1to1- "We're calling the police to have you arrested for disturbing the peace and attempting to blackmail us by telling our neighbors that our apartment is on fire!"
Indian Court - "Not only shouldn't you have told the neighbors about the fire, but you aren't allowed to tell anyone else about it going forward!"
[ link to this | view in chronology ]
Based upon the reaction, I assume the data was exposed intentionally.
[ link to this | view in chronology ]
suicide was criminalized
I dont support suicide but are they really going to prosecute a corpse?
I don't think they thought that law through.
[ link to this | view in chronology ]
Re:
Probably not, but I assume they will go after third parties even if the third party had nothing to do with it.
[ link to this | view in chronology ]
Re:
It might be that attempting suicide is criminalized, and they'll prosecute you if you survive.
Or they might go after your next-of-kin with financial penalties.
[ link to this | view in chronology ]
Re: Re:
Normally attempted suicide is criminalized to allow "protective" incarceration.
[ link to this | view in chronology ]
Re: Re:
" It might be that attempting suicide is criminalized, and they'll prosecute you if you survive."
Otherwise, just regular suicide charges?
[ link to this | view in chronology ]
Re:
are they really going to prosecute a corpse?
The RIAA's attempted that on multiple occasions.
[ link to this | view in chronology ]
Ah yes, shoot the messenger! Problem solved.
[ link to this | view in chronology ]
Indian Law
If the bloggers not in India what can they actually do about it>?
[ link to this | view in chronology ]
Re: Indian Law
Probably can't do anything but who knows.
[ link to this | view in chronology ]
Automated Process
Perhaps a anonymous automated process should be developed where vulnerabilities can be reported to the company. Once the process begins the information is provided to the public after ten days (or whatever). The company can respond and the initial report can be deactivated in a variety of ways plus a general expiration of the report. That way the company can take action or not but at least the person who reports the issue doen't have to take the risk that the company is run by idiots and/or assholes.
[ link to this | view in chronology ]
Re: Automated Process
They'd just sue whoever maintains the automated process, unfortunately.
[ link to this | view in chronology ]
Note: This post included a link to the Techdirt tag "shooting the messenger", yet does not include that self-same tag. Seems like an omission to me.
[ link to this | view in chronology ]
A reminder that it's not just American courts that are steeped in corruption and incompetence.
[ link to this | view in chronology ]
Re:
It's the company that's at fault, not the court. It's not their fault the lawyers misled them.
[ link to this | view in chronology ]
SPEECH Act
[ link to this | view in chronology ]
SPEECH Act
I realize the SPEECH Act only specifically applies to libel, but I wonder if it would have an effect on civil court gag orders that would violate the first amendment?
https://en.wikipedia.org/wiki/SPEECH_Act
[ link to this | view in chronology ]