3rd Party Risk Management , Application Security , Breach Notification
Drug Testing Lab Portal Incident Exposed Data for 4 YearsHow Can Other Entities Avoid Similar Misconfiguration Mishaps?
A Florida county lab that performs drug testing for employment, court cases and other purposes is notifying thousands of individuals of a web portal misconfiguration incident that left personal information accessible to others for more than four years.
Some experts say the mishap spotlights common issues involving IT misconfigurations, including those related to web portals, which can put data at risk for compromises, including hacking incidents.
"Because portals, by definition, are externally facing, they are accessible via the internet, which automatically means they are more likely to be targets for attackers," says Tom Walsh, founder of privacy and security consultancy tw-Security.
In a notification statement posted on its website on Thursday, St. Lucie County says its Drug Screening Lab learned on Dec. 28, 2021, that due to a configuration error in the SLC Lab web portal, certain data had been "inadvertently made accessible" over a four-year span.
A breach report filed to the Maine attorney general's office on Thursday says the incident affected 14,528 individuals, including eight residents of Maine.
A St. Lucie County spokesman tells Information Security Media Group that "the county is not a HIPAA-covered entity with respect to the information involved in this incident."
Appropriate notifications have been provided under state law, and no other county data was affected by the incident, he says.
The incident involved "misconfigured coding" that was identified in an internal web portal, which was promptly remediated upon discovery, the spokesman says.
SLC Lab says it also immediately launched an investigation with external cybersecurity professionals to determine what information may have been accessible to unauthorized users.
"After an extensive forensic investigation and thorough review of the data affected, SLC Lab discovered … that the website portal misconfiguration allowed for data to be accessible to certain portal users between June 2, 2017, and Oct. 13, 2021," the county's notice says.
Affected information included individuals' names and one or more of the following: Social Security numbers, dates of birth, and type and result of lab test.
"To date, SLC Lab is not aware of any reports of identity fraud or improper use of any information as a direct result of this incident."
SLC Lab is offering complimentary credit and identity monitoring services to those affected, it says.
The incident at SLC Lab is among other high-profile breaches involving web portals exposing sensitive health and other personal information.
Other notable health data breaches involving web portal misconfigurations include a coding error in a portal of the Employee Retirement System of Texas discovered in 2018 that inadvertently allowed some users to view the information of others, potentially exposing information on nearly 1.25 million of its members.
The massive Equifax breach in 2017, which affected more than 163 million individuals in the U.S. and elsewhere, also stemmed in part from a failure to patch a custom-built, internet-facing consumer dispute portal, according to a 2018 congressional report (see: Equifax Breach Entirely Preventable, House Report Finds).
Portals "tend to be about one person obtaining data about themselves and no one else," Walsh says. Therefore, some consider the risk of unauthorized exposure to be low - just a single person’s data being exposed," he says.
However, portals pull data from other internal sources and then displays the results in a webpage, functioning like a conduit, he notes.
"Most of the time, the portal doesn’t actually store any confidential information such as protected health information and/or personally identifiable information. But that is not always the case," he says.
"Some portals temporarily store the information - directly or indirectly through transactional logs. The security of this data can often be overlooked because it is not easy to find the logs and the user would have to have elevated privileges to get to the logs."
Avoiding Misconfiguration Mishaps
Walsh suggests organizations take a variety of measures to avoid web portal and related IT misconfiguration mishaps that can potentially lead to data breaches.
- Performing a web application review/assessment to better understand which configuration parameters would significantly affect the confidentiality of data;
- Having a third-party periodically conduct a code review to confirm that the portal is running securely;
- Routinely running vulnerability assessments, scans and penetration testing;
- Strictly following a change management process that includes a security review of the planned changes;
- Implementing security log monitoring to uncover suspicious activity and give greater opportunity to discover any potential breach of data.
To reduce the risks of security incidents involving web portals, Walsh also recommends:
- Implementing multifactor authentication if it is a viable option for portal users or, if not, implementing strong password rules;
- Setting automatic timeouts that end a portal user’s session after a period of inactivity;
- Preventing the success of password-cracking programs by automatically locking portal users' accounts after a predetermined number of consecutive, unsuccessful logon attempts;
- Encrypting data stored in a portal, even temporarily and in logs;
- Exposing only the minimum necessary information needed in portal encounters;
- Ensuring that audit trail and transaction logs include sufficient information to establish what events occurred, such as type of event, when the event occurred and the IP address of the user;
- Protecting transaction logs with an additional layer of security, such as a different set of credentials to access the logs;
- Preserving the integrity of logs so they cannot be deleted or altered;
- Implementing an intrusion detection system to help facilitate detection, investigation and response to incidents;
- Erasing cookies when the web browser used to access the portal is closed.