At a glance.
- Third-party breach affects UK's National Health Service.
- Data exposed in S3 bucket used by children's fashion online retailer.
- Oklahoma City Police Department sustains a third-party breach exposing data of sexual assault victims.
NHS suffers third-party data breach.
The UK’s National Health Service (NHS) has disclosed a data breach that exposed the data of tens of thousands of individuals. The Daily Mail explains that the compromised documents include appointment messages to miscarriage sufferers, test results from cervical screenings, and letters regarding minors scheduled for surgery. The sensitive data was inadvertently exposed by PSL Print Management, a consultancy firm working with NHS, and dates back to 2015 despite data privacy laws that require medical data be deleted as soon as possible. The breach was discovered by a former PSL staffer who, after requesting details about his communications while working at the firm, received a large file of emails bearing attachments that included sensitive patient documents. An NHS spokesperson confirmed that the Information Commissioner's Office is investigating the incident.
Data of tiny fashionistas exposed.
The researchers at SafetyDetectives detail their discovery of an unprotected S3 Amazon Web Services (AWS) storage bucket containing data owned by children’s fashion e-commerce site melijoe.com. The database contained the personal data of hundreds of thousands of customers who visited the high-end fashion brand’s website. Headquartered in Paris, France, Melijoe sells clothes for kids from luxury brands like Ralph Lauren and Versace, and the exposed data includes customer brand preferences, children’s names, purchase delivery addresses, and payment methods. Customers from France, Russia, Germany, the United Kingdom, and the United States are among those exposed, and Melijoe’s product catalog and stock levels were also found in the storage bucket. The breach has been disclosed to AWS and the French Computer Emergency Response Team as well as Melijoe, but it took over three months for the database to be secured.
Police department breach compromises data of rape victims.
The data of sexual assault victims were potentially compromised in a third-party data breach impacting the Oklahoma City Police Department (OKCPD). DNA Solutions Inc., a forensics testing company used by the department, experienced a network security incident last November that exposed rape kit data sent to the company for analysis. OKCPD told KFOR News, “DNA Solutions Inc. determined that an unauthorized third party accessed their network and may have compromised certain sensitive personal and health related information from sexual assault kits sent to them for forensic testing.” Though the compromised data fortunately did not include personally identifiable information like Social Security numbers or financial information, the breach compromised extremely vulnerable individuals, and the twelve months of free credit monitoring offered by DNA Solutions likely feels like insufficient restitution.