Online Atrocity Database Exposed Thousands of Vulnerable People In Congo

An anonymous reader quotes a report from The Intercept: A joint project of Human Rights Watch and New York University to document human rights abuses in the Democratic Republic of the Congo has been taken offline after exposing the identities of thousands of vulnerable people, including survivors of mass killings and sexual assaults. The Kivu Security Tracker is a "data-centric crisis map" of atrocities in eastern Congo that has been used by policymakers, academics, journalists, and activists to "better understand trends, causes of insecurity and serious violations of international human rights and humanitarian law," according to the deactivated site. This includes massacres, murders, rapes, and violence against activists and medical personnel by state security forces and armed groups, the site said. But the KST's lax security protocols appear to have accidentally doxxed up to 8,000 people, including activists, sexual assault survivors, United Nations staff, Congolese government officials, local journalists, and victims of attacks, an Intercept analysis found. Hundreds of documents -- including 165 spreadsheets -- that were on a public server contained the names, locations, phone numbers, and organizational affiliations of those sources, as well as sensitive information about some 17,000 "security incidents," such as mass killings, torture, and attacks on peaceful protesters.

The data was available via KST's main website, and anyone with an internet connection could access it. The information appears to have been publicly available on the internet for more than four years. [...] The spreadsheets, along with the main KST website, were taken offline on October 28, after investigative journalist Robert Flummerfelt, one of the authors of this story, discovered the leak and informed Human Rights Watch and New York University's Center on International Cooperation. HRW subsequently assembled what one source close to the project described as a "crisis team." Last week, HRW and NYU's Congo Research Group, the entity within the Center on International Cooperation that maintains the KST website, issued a statement that announced the takedown and referred in vague terms to "a security vulnerability in its database," adding, "Our organizations are reviewing the security and privacy of our data and website, including how we gather and store information and our research methodology." The statement made no mention of publicly exposing the identities of sources who provided information on a confidential basis. [...] The Intercept has not found any instances of individuals affected by the security failures, but it's currently unknown if any of the thousands of people involved were harmed. "We deeply regret the security vulnerability in the KST database and share concerns about the wider security implications," Human Rights Watch's chief communications officer, Mei Fong, told The Intercept. Fong said in an email that the organization is "treating the data vulnerability in the KST database, and concerns around research methodology on the KST project, with the utmost seriousness." Fong added, "Human Rights Watch did not set up or manage the KST website. We are working with our partners to support an investigation to establish how many people -- other than the limited number we are so far aware of -- may have accessed the KST data, what risks this may pose to others, and next steps. The security and confidentiality of those affected is our primary concern."

The sliver lining

[oumuamua]

Or in this case, the cobalt lining, is that without this data breach most people would never have heard about these atrocities.
For two reasons 1) too much other shit going on in the world and 2) no one cares what happens in Africa - harsh but true
https://truthout.org/articles/... [truthout.org]

Just post it in the newspaper

[jenningsthecat]

I get that data security is very difficult. But really? It seems not a day goes by without at least one major data breach. Are the bad guys that good at being bad? Or are the nominal good guys lazy and careless, or somehow handicapped by the cultures they work in?

I know the answer is somewhere in the middle, but I keep getting the impression that it's rather on the far side, favouring laziness and carelessness. I don't work in the field so I could easily be wrong, but lots of folks here have plenty of first

Re:

[jenningsthecat]

Just re-read my post and realized something I failed to mention. Yes, I did read RTFS, and understand that this specific story is all about carelessness.

databasic nature

[spaceman375]

Anytime you make a database, someone will access it inappropriately for personal gain.The solution is not more restrictions on who can get to the data. The actual compiling and retention of the data is what needs to be restricted. Instead of hoarding every last detail, only strictly necessary info should be used, and regularly purged at that. Maybe we should tax databases by size and complexity of personal data?

Don't store the data

[FeelGood314]

Not sure about your taxing ideas but there should be criminal charges for storing data of this sensitivity on an internet connected device. If it was on a flash drive in a safe then you can keep it. But keeping sensitive information on a network when the information isn't need in a real time way should be criminal. This wasn't just bad security on the database it was the fact the database existed on an internet connected device that is the problem.
I had Entrust message me that they were hacked and my em