August 17, 2019 News Magazine

Thousands of medical injury claim records exposed by ad agency

An internet advertising company specializing in helping law firms sign up potential clients has exposed close to 150,000 records from a database that was left unsecured.

The database contained submissions as part of a lead-generation effort by X Social Media, a Florida-based ad firm that largely uses Facebook to advertise various campaigns for its law firm customers. Law firms pay the ad company to set up individual websites that aim to sign up victims from specific categories of harm and injuries — from medical implants, malpractice, sexual abuse and more — who submit their information in the hope of receiving legal relief.

But the database was left unprotected and without a password, allowing anyone to look inside.

Security researchers Noam Rotem and Ran Locar found the database and reported it to the company, which pulled the database offline. The researchers also shared their discovery exclusively with TechCrunch and posted their findings on vpnMentor.

The database contained names, addresses, phone numbers, the date and time of a person’s submission and the circumstances and explanation of their accident, injury or illness. Often this included personal health information, sensitive medical information, details of procedures or the consumption of certain medications or specifics of traumatic events.

Several records seen by TechCrunch include records from campaigns targeting combat veterans who were injured on duty. Other campaigns sought to sign up those who suffered illnesses from pesticides or medications.

Other campaigns included soliciting claims for sexual abuse. We found several names, postal and email addresses and phone numbers of victims, many of which also described their sexual abuse as part of filling out the website form.

One of the records in the database. (Image: supplied)

The researchers said the exposed data could be “easily traced” back to the individuals who filled out the website forms.

The exposed database also contained a list of more than 300 law firms who paid X Social Media to set up the lead-generation operation. It also contained records of how much each law firm paid the ad company — in some cases amounting to tens of thousands of dollars. The database also contained the bank routing and account numbers of the ad company, which law firms used to pay the company for its services.

In reporting this story, we found a second, smaller database. In an effort to get the database secured, we provided the IP address to Jacob Malherbe, founder of X Social Media, in an email. Within an hour, the database had been pulled offline.

Despite this, Malherbe denied that the company stored medical data, described the findings as “inaccurate” and asked we “direct all other emails to our company lawyers.”

When presented with several files containing the data, Malherbe responded:

After being notified by TechCrunch about a security problems in MongoDB the X Social Media developer team immediately shut down the vulnerability create [sic] by a MongoDB database and did a night long log file review and we only found the two IP addresses, associated with TechCrunch accessing our database. Our log files show that nobody else accesses the database while in transit. We will continue to investigating this incident and work closely with state and Federal agencies as more information becomes available.

When asked, Malherbe declined to provide the logs to verify his claims. The company also wouldn’t say how long the database was exposed.

This is the latest exposed database found by the researchers in recent months.

The researchers have previously found data leaking on Fortune 500 firm Tech Data, exposed user records and private messages of Jewish dating app JCrush and leaking data from Canadian cell network Freedom Mobile and online retailer Gearbest.

Read more:


Source: TechCrunch

Tags: in Uncategorized
Banner
Related Posts

Here’s everything announced at Samsung’s Galaxy S10/Galaxy Fold event

February 20, 2019

February 20, 2019

Missed today’s Samsung Unpacked event in San Francisco? In all, we have five new phones — one of them a foldable,...

Spacemaker scores $25M Series A to let property developers use AI

June 10, 2019

June 10, 2019

Spacemaker, a Norway-based startup that’s created AI software to help property developers and architects make better design decisions, has picked...

BMW makes interacting with you car’s AI systems more natural

February 25, 2019

February 25, 2019

Even after years of using systems like the Google Assistant or Siri, talking to inanimate objects can still feel weird....

Rules to rein in ride-hailing apps coming to Barcelona

January 29, 2019

January 29, 2019

Catalan’s regional government has agreed new rules to regulate the vehicle for hire (VTCs) sector that will require ride-hailing companies...

Verified Expert Lawyer: James Alonso

February 20, 2019

February 20, 2019

While James Alonso has worked at big law firms for much of his career, he’s been working with startups the...

Dadi brings in $2M to democratize sperm storage

January 31, 2019

January 31, 2019

The founders of Dadi — pronounced daddy — think men are in need of a wake-up call. “Men [have] a...

‘The Operators’: Slack PM Lorilyn McCue and Google Senior PM Jamal Eason on becoming a product manager and PM best practices

July 1, 2019

July 1, 2019

Tim Hsia & Neil Devani Contributor Share on Twitter Tim Hsia is the CEO of Media Mobilize and a Venture...

Cyber threats from the U.S. and Russia are now focusing on civilian infrastructure

July 22, 2019

July 22, 2019

Joe Cheravitch Contributor Joe Cheravitch is a defense analyst with the Rand Corporation. Cyber-confrontation between the U.S. and Russia is...

User Interviews, a platform for product feedback, raises $5 million

March 29, 2019

March 29, 2019

It’s not uncommon to hear CEOs and business leaders talk about focusing on the consumer. But the only way to...

Alan raises another $45 million for its health insurance product

February 18, 2019

February 18, 2019

Paris-based startup Alan has raised a Series B round of funding of $45 million (€40 million). Index Ventures is once...

A powerful spyware app now targets iPhone owners

April 8, 2019

April 8, 2019

Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones. The...

With Super Mario Maker 2, Nintendo both unleashes and leashes creators

July 3, 2019

July 3, 2019

Nintendo’s Mario Maker series is among the most generous gifts the company could have given to its fans, and the...

Stonly lets you create interactive step-by-step guides to improve support

July 17, 2019

July 17, 2019

French startup Stonly wants to empower users so that they can solve their issues by themselves. Instead of relying on...

Startup Law A to Z: Regulatory Compliance

April 4, 2019

April 4, 2019

Startups are but one species in a complex regulatory and public policy ecosystem. This ecosystem is larger and more powerfully...

Uber’s JUMP scooters get a makeover

June 12, 2019

June 12, 2019

Uber has unveiled a new model of its JUMP electric scooters, featuring a bigger frame and hand brakes. Uber plans...

Comments
Leave a Reply

Your email address will not be published. Required fields are marked *