This Week in Data Breaches: Hundreds of Millions of Facebook Passwords Stored in Plaintext
From news of a leak that exposed millions of medical records to revelations that Facebook stored hundreds of millions of passwords in plaintext, here we round up the latest in data security and privacy news.
Medilab Left Millions of Medical Records Exposed
Medilab, a health technology company, left millions of medical records, doctors’ notes, and prescriptions exposed for nearly a year after failing to secure a server with a password. As reported by TechCrunch, the exposed fax server contained more than 6 million documents in total and sensitive patient records could be accessed in real-time. Not only did the exposed faxes contain personal health data, such as blood test results, but in some cases they also included Social Security numbers and payment details.
Although Medilab claims to be in compliance with HIPAA, the Health Insurance Portability and Accountability Act, it is clear the company failed to adequately protect patient data. Fines levied for HIPAA violations by the Department of Health and Human services have risen significantly in recent years, reaching more than $25 million in 2017 alone.
Facebook Stored Hundreds of Millions of Passwords Unencrypted
Last week, new revelations emerged of even more security failures at Facebook, with the company admitting that it “mistakenly” stored hundreds of millions of passwords in plaintext. Those affected included hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users. While the company said that it has "found no evidence to date that anyone internally abused or improperly accessed” accounts, the servers improperly storing passwords were searchable and accessible internally by roughly 2,000 employees.
Despite Facebook’s claims, security expert Brian Krebs reported that "access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords.” Facebook’s own internal investigation has, according to Krebs, found archives containing plaintext passwords that date as far back as 2012. News of Facebook’s password issues comes as concern about the company’s misuse of user data has reached a fever pitch.
Read more from Wired.
FEMA Exposed Data of Millions of Disaster Survivors
Last Friday, FEMA, the Federal Emergency Management Agency, admitted that it inadvertently leaked the data of 2.3 million disaster survivors. The exposure, which the agency has described as a “major privacy incident”, included data from survivors of the California wildfires in 2017 and the Harvey, Irma, and Maria hurricanes. Information on the survivors included names, dates of birth, eligibility dates, FEMA registration numbers, the last four digits of Social Security numbers, home addresses, bank names, electronic transfer numbers, and bank transit numbers.
The information was errantly shared with a temporary-housing contractor, providing information that the contractor wasn’t authorized to receive and putting FEMA in violation of the Privacy Act of 1974 and Department of Homeland Security policy. According to Wired, “FEMA says that the leaked data wasn’t stolen or abused while the contractor possessed it, but there’s also no way to confirm that.” FEMA has said that there are no indications that the data has been compromised despite concerns from the security community that the incident puts disaster survivors at increased risk of identity theft and fraud.
Read more from The Washington Post.
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data.
Bloom enables you to own, authorize the use of, and protect your data using the latest advancements in blockchain technology. With Bloom, the risk of your data being exposed in a data breach or leak is greatly reduced. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Your identity, and your highly sensitive personal and financial information, is securely safeguarded on your own personal device using cutting-edge cryptography.