December 10, 2019 News Magazine

Thousands of medical injury claim records exposed by ad agency

An internet advertising company specializing in helping law firms sign up potential clients has exposed close to 150,000 records from a database that was left unsecured.

The database contained submissions as part of a lead-generation effort by X Social Media, a Florida-based ad firm that largely uses Facebook to advertise various campaigns for its law firm customers. Law firms pay the ad company to set up individual websites that aim to sign up victims from specific categories of harm and injuries — from medical implants, malpractice, sexual abuse and more — who submit their information in the hope of receiving legal relief.

But the database was left unprotected and without a password, allowing anyone to look inside.

Security researchers Noam Rotem and Ran Locar found the database and reported it to the company, which pulled the database offline. The researchers also shared their discovery exclusively with TechCrunch and posted their findings on vpnMentor.

The database contained names, addresses, phone numbers, the date and time of a person’s submission and the circumstances and explanation of their accident, injury or illness. Often this included personal health information, sensitive medical information, details of procedures or the consumption of certain medications or specifics of traumatic events.

Several records seen by TechCrunch include records from campaigns targeting combat veterans who were injured on duty. Other campaigns sought to sign up those who suffered illnesses from pesticides or medications.

Other campaigns included soliciting claims for sexual abuse. We found several names, postal and email addresses and phone numbers of victims, many of which also described their sexual abuse as part of filling out the website form.

One of the records in the database. (Image: supplied)

The researchers said the exposed data could be “easily traced” back to the individuals who filled out the website forms.

The exposed database also contained a list of more than 300 law firms who paid X Social Media to set up the lead-generation operation. It also contained records of how much each law firm paid the ad company — in some cases amounting to tens of thousands of dollars. The database also contained the bank routing and account numbers of the ad company, which law firms used to pay the company for its services.

In reporting this story, we found a second, smaller database. In an effort to get the database secured, we provided the IP address to Jacob Malherbe, founder of X Social Media, in an email. Within an hour, the database had been pulled offline.

Despite this, Malherbe denied that the company stored medical data, described the findings as “inaccurate” and asked we “direct all other emails to our company lawyers.”

When presented with several files containing the data, Malherbe responded:

After being notified by TechCrunch about a security problems in MongoDB the X Social Media developer team immediately shut down the vulnerability create [sic] by a MongoDB database and did a night long log file review and we only found the two IP addresses, associated with TechCrunch accessing our database. Our log files show that nobody else accesses the database while in transit. We will continue to investigating this incident and work closely with state and Federal agencies as more information becomes available.

When asked, Malherbe declined to provide the logs to verify his claims. The company also wouldn’t say how long the database was exposed.

This is the latest exposed database found by the researchers in recent months.

The researchers have previously found data leaking on Fortune 500 firm Tech Data, exposed user records and private messages of Jewish dating app JCrush and leaking data from Canadian cell network Freedom Mobile and online retailer Gearbest.

Read more:


Source: TechCrunch

Tags: in Uncategorized
Banner
Related Posts

Takeaways from F8 and Facebook’s next phase

May 2, 2019

May 2, 2019

Extra Crunch offers members the opportunity to tune into conference calls led and moderated by the TechCrunch writers you read...

Failed meal-kit service Munchery owes $6M to gift card holders, vendors

March 4, 2019

March 4, 2019

Several weeks after a sudden shutdown left customers and vendors in the lurch, meal-kit service Munchery has filed for bankruptcy....

Move over Slack — Space is a new project management platform for developers

December 6, 2019

December 6, 2019

While file sharing, time tracking, email integration, Gantt Charts, and budget management are usually some of the most requested features...

Echo Show 5 review

June 24, 2019

June 24, 2019

The Echo team must have started sweating when the Lenovo Smart Clock was announced during CES. Deep inside Seattle’s Day...

Researchers ran a simulator to teach this robot dog to roll over

January 17, 2019

January 17, 2019

Advanced robots are expensive, and teaching them can be incredibly time consuming. With the proper simulation, however, roboticists can train...

Indonesia’s vegetable hawkers are going digital thanks to a new startup

May 28, 2019

May 28, 2019

Few things are more interesting that the convergence of old and new. It’s with that in mind that we once...

Transportation Weekly: Uber’s spending habits, Tesla Model Y, scooters and AVs in Austin

March 17, 2019

March 17, 2019

Welcome back to Transportation Weekly; I’m your host Kirsten Korosec, senior transportation reporter at TechCrunch. We love the reader feedback....

The 10 benefits and policies any modern workplace should have

June 6, 2019

June 6, 2019

Georgene Huang & Liv McConnell Contributor Georgene Huang is CEO and Co-founder and Liv McConnell is Associate Editor at Fairygodboss,...

Baby Yoda memes return as Giphy stops pulling content over copyright concerns

November 25, 2019

November 25, 2019

Almost as soon as “Baby Yoda” (or “Yoda Baby”?) debuted on the wildly popular new Disney Plus series “The Mandalorian,”...

Robots learn to grab and scramble with new levels of agility

January 16, 2019

January 16, 2019

Robots are amazing things, but outside of their specific domains they are incredibly limited. So flexibility — not physical, but...

Audi self-driving unit taps newcomer Aeva for its unique lidar

April 17, 2019

April 17, 2019

Audi’s self-driving unit has tapped a startup with a unique approach to lidar as it ramps up testing in Munich...

Volocopter unveils a new eVTOL drone for heavy lift cargo flights

October 30, 2019

October 30, 2019

Urban air mobility company Volocopter has focused its efforts to date on getting its passenger electric drone business off the...

Robinhood revives checking with new debit card & 2% interest

October 8, 2019

October 8, 2019

This time it actually has insurance. Zero-fee stock trading app Robinhood is launching Cash Management, a new feature that earns...

The future of Uber is promoting Eats

September 26, 2019

September 26, 2019

Uber’s best bet is to use its ubiquity and product breadth to beat rivals in ride hailing, scooters, and food...

Xnor’s AI2GO serves up custom edge AI models with a few clicks

May 16, 2019

May 16, 2019

AI would be useful for tons of everyday tasks for small businesses and other operations — if people just knew...

Comments
Leave a Reply

Your email address will not be published. Required fields are marked *