Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

AstraZeneca Password Lapse Exposed Patient Data (techcrunch.com) 16

An anonymous reader quotes a report from TechCrunch: Pharmaceutical giant AstraZeneca has blamed "user error" for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: "The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations."

It's unclear if anyone was able to access the data, or if any data was exfiltrated.
This discussion has been archived. No new comments can be posted.

AstraZeneca Password Lapse Exposed Patient Data

Comments Filter:
  • why does the test environment have real data like that in at all?

    • That's not unusual. I work on totally different products (military electronic sensor equipment) and we use mostly customer-supplied datasets that contain real-world data - incl. GPS data and such - that triggered some problem or other in our firmwares. We use the datasets for regression testing.

    • because their fine staff of contractors that are three parties removed from them has learned to cut/paste in their editor.

  • by Immerman ( 2627577 ) on Friday November 04, 2022 @05:17PM (#63025491)

    If user error can expose a large amount of sensitive information, then your real problem is not user error, but a system that was never designed to limit the damage done by those inevitable user errors.

    • Yeah but remember: they strive for the highest standard - the same way I strive to climb Mount Everest but I'm still sitting pissed up in a bar in Kathmandu.

  • They know about my diabetes! By gum, I think Mr. Selleck is going to call me personally, and I'll bet dollars to doughnuts I end up with a reverse mortgage.

  • by peterww ( 6558522 ) on Friday November 04, 2022 @05:45PM (#63025559)

    MFA would have prevented that problem, as well as temporary credentials, as well as a security scanner on their GitHub org/repos to look for credentials.

    Test systems should never contain PHI or PII. That's like, legally required by HIPAA. What the fuck.

  • 1) Describe the risks of cavalier, ungoverned systems architecture as it pertains to security.
    2) Describe the role of security in enforcing HIPPA and ITIL V3 standards as it pertains to ISM. What other federal
    statutes govern the handling of PII?
    3) Describe briefly how you would train staff on handling sensitive customer-related data and what reporting mechanisms would
    out like to see in a mature organization to handle possible leaks of that data.
    4) What are the risks of not following the standards mentioned

  • Credentials stored with the source code, source code on publicly-reachable servers, test-data containing life data. Three things to never, ever do. This should result in personal (!) punishment for CEO and CISO, because they obviously did not do their jobs and completely incompetent people were hired and handed data they should never have had access to.

You know you've landed gear-up when it takes full power to taxi.

Working...