Dear Earth, Last month I took a paternity test!

Filed Under: Data loss, Featured, Law & order, Privacy, Vulnerability

Last year, at the Hack in the Box conference in Kuala Lumpur, Malaysia, I predicted that 2011 would be The Year of Privacy Threats.

Let's play a thought game to see how perspicacious my comments were. It won't take long.

Think of all the organisations and companies you've trusted with your personally identifiable information recently. The list probably includes hotel chains, game networks, computer security companies, police departments, mobile phone companies, social networking services, on-line discounters, and more.

Of all the information you've entrusted to others, which would you consider the most embarrassing to see popping up on the internet?

Which sort of data leakage would be most open to misinterpretation, confusion, disappointment, retribution, tears or anger by your boss, spouse, business partner, HR manager or parole officer?

Well, if you've done business with South Australian medical testing company Medvet Science Pty Ltd recently, I may have the answer for you!

In an astonishing security botch-up reported this weekend - ironically in The Australian, one of the publications of the security-beleagured Murdoch stable - Medvet allowed its customer accounts to be searched, found, indexed and cached by search engines.

A simple Google search, for example, would be enough to recover a wealth of customer names, billing addresses, and services purchased. And the services offered proudly by Medvet - at least until last weekend - include drug and DNA testing.

Had a paternity test? On yourself or on your children? Taken a drug test privately in advance of official workplace screening? Interested in explaining why to all and sundry?

Medvet has, at least, apologised, and has taken its entire web store off-line whilst it works out what to do next. This morning, leaked Medvet data was still readily available in Google's cache; it no longer seems to be, which is a small mercy.

But I'm not sure that you ought to believe the company's claim that "all client information has been removed and is no longer available on the internet."

One of the problems in a modern data breach is recovering each and every outstanding copy of any stolen or leaked data. It's pretty much impossible to do so with any confidence, particularly if your data leaked because arbitrary outsiders could retrieve it at will.

Worse still, in this case, is The Australian newspaper's claim that Medvet has known about this problem since April.

Here's a clarion call to the Australian legislature: we need mandatory data breach disclosure laws.

And we can't dither for another two or three years just because we have a minority government. This is a cross-bench issue which every Australian parliamentarian and public servant should support - a law to ensure that there is no more brushing of data breaches under the carpet.

(An amusing footnote to this incident is that Medvet still announces itself on its website as "the agent of IMVS [a government-run network of pathology labs] and the Royal Adelaide Hospital for the protection and commercialisation of Intellectual Property." Ho hum.)

, , , ,

You might like

One Response to Dear Earth, Last month I took a paternity test!

  1. Tom B. · 1139 days ago

    Touche, Touche, KUDOS to you fine I.T.'s. I love your work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog