Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak

from the thanks-for-the-help!-they-sued dept

For doing the company the favor of informing it about a leaky AWS bucket exposing sensitive counseling records of 300,000 Indian employees, the company -- 1to1Help -- has filed a criminal complaint against the person who brought the situation to its attention.

In the middle of May, a researcher came across the exposed data and informed Dissent Doe of DataBreaches.net about their findings. After verifying the leak, Dissent Doe began trying to contact 1to1Help to inform it of the leak. No response was received until over a month later, possibly prompted by Dissent Doe contacting a large American company that was a customer of 1to1Help.

The slow response was blamed on internal email routing. Here's some of what was seen in the exposed bucket:

In looking at the plaintext counseling logs, I saw counseling logs for employees of Cognizant, IBM, HP, Capgemini, Dell, Oracle, and Microsoft.

[...]

There was more than 280,000 records in the users’ table, and more than 300,000 records, total, in the exposed bucket. As of the time of this posting, we have not been told for how long the bucket was exposed. Nor do we yet know how many unique IP addresses may have accessed and/or downloaded the data. What we do know is that contact information for employees of business and financial sector firms was freely available — as was sensitive information for some of them that might be used by miscreants for spearphishing or even extortion.

Data on employees included their first and last names, their username, their email address, their password (in plaintext in some tables), their telephone number, IP address, gender, and their relationship status.

Keep in mind that 1to1Help is a counseling firm that provides mental and physical health services to customers. That gives you some idea just how sensitive this information is, especially when bundled with the usual PII and personal email addresses.

The contact person at 1to1Help sent an email detailing the steps the company had taken, as well as preventative measures deployed to prevent further leaks in the future. Unfortunately, 1to1Help's Anil Bisht also tried to talk Dissent Doe out of writing about this leak.

As a small India based business (where there is no 911 support for threats and suicides, and where until recently suicide was criminalized) it has been an uphill battle to popularize and gain acceptance for counselling. By publishing specifics, this would bring about a general mistrust and discourage employees from reaching out to counselling firms such as ourselves. This in turn would be detrimental to the users and may even lead to loss of life. We cannot emphasize the impact of this enough.

[...]

We once again thank you for your time in interacting with us and respect that your interest is in safeguarding the users. May we once again request you to desist from publishing & securely delete any user data that you may have.

Doe refused, stating that she would not be covering up the leak. Nor would she delete the data until full disclosure was made by 1to1Help.

Because of this refusal to cover up 1to1Help's screw-up, the company has decided to take legal action against Doe and her site by filing a criminal complaint in India. It has already managed to secure an injunction against the site forbidding it from publishing… an article that has already been published.

The injunction was issued by a civil court in Bangaluru on August 6th — five days after I published my report on the leak. The plaintiffs are seeking a permanent injunction that would bar me and my site:

- from disclosing, publishing or broadcasting the schedule data or any part thereof; and

- from publishing or broadcasting any report or article on the breach of the schedule data as threatened (sic) in their emails dated 11/06/2019, 14/07/2019 and 30/07/2019 addressed to the plaintiff;

The suit also seeks to direct Domain People to block the website of DataBreaches.net.

As Doe notes, it appears 1to1Help's lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.

Second, the lawyers claimed Doe's site was "rogue," due to it containing no contact information for Doe. They were either wrong or lying, as Doe's site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.

Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That's called journalism, not blackmail, and either its lawyers can't comprehend that or willfully misportrayed this extremely common process to the court.

The problem isn't the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.

This leak was not the fault of databreaches.net or the researcher who found it and provided data to this site. This leak was the responsibility of the entity responsible for securing the data properly but who did not encrypt it, who failed to detect their own error, and who then ignored multiple attempts to notify them that they had a leak.

What if I hadn’t persisted in trying to notify them? Their filing notes that they were contacted by a client on June 27. Whom do you think notified that client? It was this blogger and this site — still trying to get 1to1Help.net to address the leak. Not to toot our own horn, but if it wasn’t for this site’s persistence, they’d still be exposing sensitive data that the whole world could be downloading. And yet the company wants me charged criminally and got an injunction to try to censor me from reporting on their security incident?

This is far too common a response and it's certainly not limited to India, where the legal system is often used to target speech complainants don't like. Doe resides in the United States, so the First Amendment protects everything she's written, even from a company halfway around the world that doesn't like its lax security discussed in public.

Filed Under: breaches, criminal complaint, dissent doe, india, leaks, reporting
Companies: 1to1help


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That Anonymous Coward (profile), 12 Aug 2019 @ 12:26pm

    Streisand Effect didn't translate...
    Lets try this...

    रवीना टंडन प्रभाव

    reply to this | link to this | view in thread ]

  2. icon
    Get off my cyber-lawn! (profile), 12 Aug 2019 @ 12:39pm

    Typical

    Doe - pounding on door and yelling "Your apartment is on fire!"

    1to1 - "Thanks but please don't tell the neighbors"

    Doe - "No, that would be reckless and stupid"

    1to1- "We're calling the police to have you arrested for disturbing the peace and attempting to blackmail us by telling our neighbors that our apartment is on fire!"

    Indian Court - "Not only shouldn't you have told the neighbors about the fire, but you aren't allowed to tell anyone else about it going forward!"

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 12 Aug 2019 @ 12:49pm

    Based upon the reaction, I assume the data was exposed intentionally.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 12 Aug 2019 @ 12:49pm

    suicide was criminalized

    I dont support suicide but are they really going to prosecute a corpse?

    I don't think they thought that law through.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 12 Aug 2019 @ 12:58pm

    Re:

    Probably not, but I assume they will go after third parties even if the third party had nothing to do with it.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 12 Aug 2019 @ 1:00pm

    Re:

    It might be that attempting suicide is criminalized, and they'll prosecute you if you survive.

    Or they might go after your next-of-kin with financial penalties.

    reply to this | link to this | view in thread ]

  7. icon
    Gary (profile), 12 Aug 2019 @ 1:15pm

    Re: Re:

    Normally attempted suicide is criminalized to allow "protective" incarceration.

    reply to this | link to this | view in thread ]

  8. identicon
    Roy Rogers, 12 Aug 2019 @ 1:51pm

    Re: Re:

    " It might be that attempting suicide is criminalized, and they'll prosecute you if you survive."

    Otherwise, just regular suicide charges?

    reply to this | link to this | view in thread ]

  9. identicon
    Pixelation, 12 Aug 2019 @ 4:08pm

    Ah yes, shoot the messenger! Problem solved.

    reply to this | link to this | view in thread ]

  10. identicon
    Jordan, 12 Aug 2019 @ 4:21pm

    Indian Law

    If the bloggers not in India what can they actually do about it>?

    reply to this | link to this | view in thread ]

  11. identicon
    Tin-Foil-Hat, 12 Aug 2019 @ 5:25pm

    Automated Process

    Perhaps a anonymous automated process should be developed where vulnerabilities can be reported to the company. Once the process begins the information is provided to the public after ten days (or whatever). The company can respond and the initial report can be deactivated in a variety of ways plus a general expiration of the report. That way the company can take action or not but at least the person who reports the issue doen't have to take the risk that the company is run by idiots and/or assholes.

    reply to this | link to this | view in thread ]

  12. identicon
    Tin-Foil-Hat, 12 Aug 2019 @ 5:31pm

    Re: Indian Law

    Probably can't do anything but who knows.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 12 Aug 2019 @ 5:49pm

    Note: This post included a link to the Techdirt tag "shooting the messenger", yet does not include that self-same tag. Seems like an omission to me.

    reply to this | link to this | view in thread ]

  14. icon
    JdL (profile), 12 Aug 2019 @ 6:25pm

    A reminder that it's not just American courts that are steeped in corruption and incompetence.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 12 Aug 2019 @ 10:24pm

    Re:

    are they really going to prosecute a corpse?

    The RIAA's attempted that on multiple occasions.

    reply to this | link to this | view in thread ]

  16. icon
    Bergman (profile), 13 Aug 2019 @ 4:24am

    SPEECH Act

    reply to this | link to this | view in thread ]

  17. icon
    Bergman (profile), 13 Aug 2019 @ 4:24am

    SPEECH Act

    I realize the SPEECH Act only specifically applies to libel, but I wonder if it would have an effect on civil court gag orders that would violate the first amendment?

    https://en.wikipedia.org/wiki/SPEECH_Act

    reply to this | link to this | view in thread ]

  18. icon
    Wendy Cockcroft (profile), 13 Aug 2019 @ 5:16am

    Re:

    It's the company that's at fault, not the court. It's not their fault the lawyers misled them.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 13 Aug 2019 @ 9:35am

    Re:

    i had to use Translate for that... but apparently the wikipedia page for Raveena Tandon has no mention at all of anything similar to the "Streisand effect".
    I assume the "Tandon Effect" is something similar but the wikipedia page has been purged of all info about it?

    reply to this | link to this | view in thread ]

  20. identicon
    TFG, 13 Aug 2019 @ 1:52pm

    Re: Automated Process

    They'd just sue whoever maintains the automated process, unfortunately.

    reply to this | link to this | view in thread ]

  21. icon
    That Anonymous Coward (profile), 14 Aug 2019 @ 10:21am

    Re: Re:

    Google hadn;t connected Babs to any similar thing in Bollywood, so I just searched for a scandal that they tried to cover up and rolled the dice.

    But good on you for taking the time to decode the Hindi.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.