It is with a heavy heart we must inform you, once again, folks are accidentally spilling thousands of sensitive pics, records onto the internet

Plus: Iranians accused of hacking IT service providers to get at their customers

Got Tips? 20 Reg comments

Roundup Everything is insecure and everything is broken, exhibits A through Z:

Plastic surgery biz botches storage, leaks patient records

A software vendor specializing in record-keeping tools for plastic surgery clinics poorly secured a storage bucket hosted by Amazon Web Services containing hundreds of thousands of sensitive patient photos and records.

The team at vpnMentor discovered and reported a public-facing, insecure AWS S3 bucket belonging to NextMotion. The French software developer has since taken down the database, but the exposed records were, apparently, very intimate and accessible by anyone.

"The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software," noted vpnMentor. "These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated."

Iran accused of hacking vulnerable VPN, RDP servers

Infosec outfit ClearSky claims it has evidence of Iranian hackers, likely state backed, breaking into "dozens of companies around the world in the past three years" by exploiting "known vulnerabilities in systems with unpatched VPN and RDP services." The miscreants target businesses that provide IT services to others, allowing the intruders to menace thousands of customers, we're told.

Keep your external-facing remote-access systems up to date and patched, folks.

Photo app leaks people's photos, info

PhotoSquared left 100,000 customer records on a public-facing, poorly secured Amazon Web Services S3 bucket, according to, once again, peeps at vpnMentor. The 94.7GB data silo was removed from view on Friday after it was alerted to the blunder at the end of January. The bucket contained pictures, including personal snaps, receipts, and shipping labels, for thousands of punters from 2016 to last month.

In brief... Pen Test Partners poked around inside Tesla's car firmware, and documented its software update mechanisms... The FBI has warned private companies of miscreants attempting to hack into and infect vendors in the software supply chain... A systems engineer at a managed service provider is accused of attempting to sell copies of customer data.

Israeli voting app spills citizen data

A botched app rollout by Israel's Likud party leaked the personal information of more than six million citizens. According to Haaretz, the gaffe resulted in the exposure of 6,453,254 folks' data, including addresses, names, genders, and social security numbers.

Malware infection menaces US children's hospital

The Boston Children's Hospital had to take one of its external networks offline this week following a ransomware outbreak that scrambled some patient records. Local news reports the infection hit an affiliate system that handled medical data.

"The Pediatric Physicians’ Organization at Children’s (PPOC) reported a large outage affecting more than 500 primary care doctors, nurse practitioners and physician assistants across the state," says Boston 25 News. "The outage is only affecting offices that are affiliated with Boston Children’s Hospital."

If there is any good news to be had here, it is that the attack was limited to that external network, so no vital systems at the hospital itself are in any danger of infection, at least from this outbreak.

Ransomware cost tallied at an arbitrarily large number

Security house Emsisoft compiled a report guesstimating the cost of ransomware in countries around the world. Over the 2019 calendar year, it estimated some 24,770 samples of ransomware caused $1.3bn of damage in the US. For the UK, the number of incidents was placed at 4,999 with damages adding up to $277m (£212m).

These numbers are based on the number of ransomware samples submitting to an identification service, so take the above with an enormous pinch of salt.

Puerto Rican government phished for millions

The people of Puerto Rico really didn't need to hear this, but its government fell victim to a massive phishing attack. The island said more than $2.6m in fraudulent payments were sent to crooks after someone in the US territory's Industrial Development Office was convinced to re-route outgoing checks to a different account. The FBI has reportedly been called in to investigate the blunder.

Estee Lauder blushing after records leak

Cosmetics company Estee Lauder also saw millions of its internal documents spill onto the public internet this month, thanks to a poorly configured database. Jeremiah Fowler at Security Discovery said the misconfigured database had more than 440 million logs and records, including company emails. What's worse, the logs also included specific information on some of the middleware systems the company used.

This is particularly bad as that information would be extremely useful to a miscreant who wanted to get a foothold in the company's network and then spread to more secure systems at Estee Lauder. "There were millions of records pertaining to middleware that is used by the Estée Lauder company," Fowler noted.

"In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network." ®

Sponsored: Webcast: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020