AstraZeneca Password Lapse Exposed Patient Data (techcrunch.com) 16
An anonymous reader quotes a report from TechCrunch: Pharmaceutical giant AstraZeneca has blamed "user error" for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: "The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations."
It's unclear if anyone was able to access the data, or if any data was exfiltrated.
It's unclear if anyone was able to access the data, or if any data was exfiltrated.
why does the test environment have real data? (Score:2)
why does the test environment have real data like that in at all?
Re: (Score:2)
It's common to have real data in test environments so you can test with real world data. The only thing they forgot to do I guess is anonymize the data which is standard procedure. LOL!
Re: (Score:2)
The thing is, real data, specially in large datasets, has the weird quirks that no artificially generated data has.
I have seen many systems over the years that have worked just fine in testing with fake data, but when presented with real world data things break.
Re: (Score:2)
Indeed, but you need to anonymize the data or look stupid later.
Re: (Score:2)
That's not unusual. I work on totally different products (military electronic sensor equipment) and we use mostly customer-supplied datasets that contain real-world data - incl. GPS data and such - that triggered some problem or other in our firmwares. We use the datasets for regression testing.
Re: (Score:2)
because their fine staff of contractors that are three parties removed from them has learned to cut/paste in their editor.
Poor system design (Score:3)
If user error can expose a large amount of sensitive information, then your real problem is not user error, but a system that was never designed to limit the damage done by those inevitable user errors.
Re: (Score:3)
Yeah but remember: they strive for the highest standard - the same way I strive to climb Mount Everest but I'm still sitting pissed up in a bar in Kathmandu.
Oh fiddlesticks! (Score:2)
They know about my diabetes! By gum, I think Mr. Selleck is going to call me personally, and I'll bet dollars to doughnuts I end up with a reverse mortgage.
Process error, not human error (Score:3)
MFA would have prevented that problem, as well as temporary credentials, as well as a security scanner on their GitHub org/repos to look for credentials.
Test systems should never contain PHI or PII. That's like, legally required by HIPAA. What the fuck.
just a few CISO questions (Score:2)
1) Describe the risks of cavalier, ungoverned systems architecture as it pertains to security.
2) Describe the role of security in enforcing HIPPA and ITIL V3 standards as it pertains to ISM. What other federal
statutes govern the handling of PII?
3) Describe briefly how you would train staff on handling sensitive customer-related data and what reporting mechanisms would
out like to see in a mature organization to handle possible leaks of that data.
4) What are the risks of not following the standards mentioned
How stupid can you be? (Score:2)
Credentials stored with the source code, source code on publicly-reachable servers, test-data containing life data. Three things to never, ever do. This should result in personal (!) punishment for CEO and CISO, because they obviously did not do their jobs and completely incompetent people were hired and handed data they should never have had access to.