Ever since the COVID-19 pandemic broke, criminals are on the lookout for new ways to carry out nefarious activities. One of the biggest crimes that have long haunted cybersecurity firms and companies alike is being hacked. If a company deals with customers' personal info, the threat level is serious. While some companies might invest a great deal on cybersecurity, there are many examples of companies giving a damn about it all. That's where the problem lies.
All the sensitive data is just there to take it. All it takes is a person with the right knowledge to execute an attack and they will be sitting on a goldmine of data ready to be sold off on the dark web. One such instance of carelessness came to light from a reputed Indian blood test lab, Dr Lal PathLabs.
Dr Lal PathLabs exposed sensitive patient data
Dr Lal PathLabs became a key player in the race when the Indian government approved the lab for carrying out COVID-19 tests. The lab was serving some 70,000 patients every day, which automatically requires the company to store large amounts of sensitive data on patients. But the shocking discovery made Australia-based security expert Sami Toivonen revealed that all the data was up for grabs for anyone looking in the right place.
The researcher had found that Dr Lal PathLabs was storing hundreds of large spreadsheets packed with sensitive patient data on Amazon Web Services (AWS) without a password. The data consisted of daily records of patient lab tests, their names, addresses, genders, DOBs, contact numbers and the details of the test, which could easily indicate the medical diagnosis of the patient.
This also included data on the patient's COVID-19 status, whether positive or negative. In India, the COVID test results are directly given to respective state health officials in order to carry out necessary precautions to either isolate the patient or shift them to a dedicated treatment center.
Should you worry?
Well, if you recently got your blood test done at Dr Lal PathLabs, there's reason to be worried. But Toivonen said that the lab quickly shut down the access after being notified of the security lapse. However, the company did not respond or issue a statement in this regard. There's no way of knowing for sure if the loophole was exploited by anyone else or how long the bucket was exposed.
"I'm glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors.I was also a little surprised that they didn't respond to my responsible disclosure," Toivonen told TechCrunch.
Last week, Munender Soperna, CIO of Dr Lal PathLabs, in an interview with ET emphasised on cybersecurity.
"For us security is not a destination, it's a journey. For the future, we are aiming at three main KPIs -- protection against cyber threat, establishing Dr Lal PathLabs as a 100 percent secure business, and meeting compliance requirements," Soperna told the publication.