Adelaide-based Medvet, one of the largest Australian providers of DNA and drug tests, has announced an on-line data breach that has affected approximately 800 people. The breach was, as far as I can tell, their own fault. It occurred not because they failed to put in place the proper data security, such as the use of data encryption or firewalls, but because they failed to “tell” Google not to index their site. On the other hand, that could be a sign that proper thought wasn’t given to security.
According to several sources — smh.com.au, news.com.au, scmagazine.com.au, and abc.net.au — information on 800 people who ordered tests from Medvet was accessible on-line, possibly since August of last year, although the company became aware of the issue over the July 16 – 17 weekend and claims the leak started last Friday, July 15. (The issue was fixed on Monday. Some think that the information leak started last year because of Google cache’s date and time stamps.)
Medvet is one of the largest providers of drug and paternity tests in Australia, charging up to $770 per test. In this latest breach, it looks like the company’s on-line shopping/order page was made public (based on screenshots), allowing anyone to find customer names, addresses, and order details. The results of these tests were not available, thankfully enough. Furthermore, Medvet claims that customers’ names were not present either, contrary to some reports. The screenshots seem to indicate otherwise.
I’ve discussed the issue with colleagues, and some think that an order account page shouldn’t be on the internet for this company: It makes sense for a page to take orders to be available, but why have an account page?
Criticism – Why Have an Account?
Based on the screenshots and commentary that were published by the media, it appears that there is some kind of order account page that people can log in to place and keep track of their orders, not unlike logging into your amazon.com account. (I have to admit that, based on the looks of it, it may just be an internal order tracking system. Regardless, the fact is that it’s been breached.)
I’ve discussed the issue with colleagues, and some think that an order account shouldn’t exist on the internet for this particular company. It makes sense to have a page to take orders, but why have an account page where you can look up the order and change details? Chances are people won’t change or cancel their orders: DNA and drug tests are not something you decide to order on a whim. And as the unfolding events show, there can be serious complications for setting it up that way.
On the other hand, why not have it? While most might stick by their purchases, there will be a number of people who won’t. It’s all about leveraging the internet to make things more efficient.
Plus, the above argument is in hindsight. I doubt that most professionals setting up an internet order page would have considered the pros and cons of taking orders vs. actually setting up an account.
Criticism – Australia Needs Data Breach Notification Laws
Many have taken to using this incident as evidence that Australia needs laws that force companies to go public with a data breach, something akin to what can be found in the US, Canada, and Europe: the incident was not made public by the company, but by The Weekend Australian when it went public with an expose.
Better laws might not necessarily be the solution, though: according to some sources, Medvet only learned of the data leak when The Weekend Australian contacted them with what I suppose was a courtesy heads-up. (Others insinuate that the company knew of the problems since April of this year, although the company has denied such claims.)
Perhaps their ignorance absolves them from not notifying customers of the breach as of today (not really), since they hadn’t the foggiest clue, but then how do they account for their slow-as-molasses way of dealing with the situation? It took them nearly two days to figure out what was wrong, fix the problem (i.e., use the Google removal request tool), and to go public with the situation, apparently something that didn’t happen out of their own volition. Based on what happened and their response, it feels like they didn’t have a data breach contingency plan in place. Would better laws have made a difference?
Perhaps the existence of a data breach notification law with commensurate penalties would ensure a speedier reaction by breached companies. But that doesn’t nip the problem at the bud, which is to have a proactive security mindset, something that is apparently missing in Medvet’s operations.
Doing Security the Right Way
Google has been around for a little over ten years now. While I doubt everyone on the planet knows how the search engine works, I’d bet that anyone who makes a living setting up commercial websites has a pretty good idea of how Google works. Why any professional would set up a site so that online search engines crawl through the order area is beyond me. The incident was entirely preventable.
Of course, that’s not to say that you should rely on a search engine not to index your site as a security measure: proper data security and access controls means that, even if you gave permission for search engines to crawl your site, restricted areas should be blocked by the proper controls.
For example, take a look at a customer who is currently using AlertBoot as part of their data security: DNA TOTAL PROFILE, INC. DNA TOTAL PROFILE offers bio identity preservation by combining biometrics with DNA for the purpose of identification in the event of a fatality or abduction. Obviously, their business requires top-notch data security.
Because bio data is collected in theater where the client is located and then transported to a secure depository for processing, multiple layers of security are utilized to protect client information. This includes using AlertBoot to encrypt computers used on project sites and at the DNA TOTAL PROFILE, INC. processing center.
External devices, also encrypted with AES-256, are utilized to ensure data security and integrity during transportation from project sites. The end product containing the bio identity profile also utilizes AES 256 encryption providing for secure delivery to the client and maintains continuous security.
As I understand it, the information on computers and external transport devices are ultimately destroyed, using Department of Defense criteria after the bio identity profile is delivered to the client. (Why don’t they use an encrypted internet connection? Maybe the chances of getting hacked on-line are too big a risk, considering what they store.)
DNA TOTAL PROFILE, INC. offers an add-on virtual safe through VitalESafe. VitalESafe utilizes SSL during transmission or upload of the record while the virtual safe is encrypted with AES256.
Looking at your operations and considering where your weaknesses and troublesome points lie, and then shoring them up: This is data security done right.