in 2006, I started advocating that there needs to be a law or regulation that requires businesses to have a method to obtain notifications of surety alerts. A number of people I honour offered explanations as to why that wasn’t a great idea. But 13 years later, I’m more convinced than ever that we need regularization or law requiring it. Of course, just getting a notification delivered doesn’t mean that the entity will register it or respond appropriately to it. And when i harness the world, there will also be more consequences for entities who make not respond to notifications at all. i can now reveal how i and others spent a few frustrating months trying to get a plastic surgeon in Colombia to interlock down his amazon s3 bucket. It was exposing more than 3,000 patient files, many of which were full frontal and raise nude photos of identifiable people. Most of these were pre-surgical images, but there were also numerous pdf files with detailed patient histories. To be clear: i come not know if he owned and managed the bucket or if he had some third-party vendor doing that, but it was his patients’ data and so we reached out to him. Repeatedly. To no avail. I generally desperately avoid posting any PHI on this site, but i want you all to check how very concerning this leak was, so i am redacting just one of the images in the file. donjon in mind that it wasn’t redacted at all in the bucket that anyone could access and download. How do you cogitate Dr. Felipe Amaya’s patients would finger if they knew their nude pictures like this were available online for anyone and everyone to download without any login required? And that he had been notified numerous times but relieve did not get the bucket secured? DataBreaches.net was originally alerted to this leak over the summer by a researcher. This site then called dr. Felipe Amaya’s fl phone number and left a voicemail with my U.S. callback number and information. This site also contacted them numerous times in writing via their onsite contact and chat shape at FelipeAmaya.com. We also tried email to their info@ email speech on numerous occasions. I even tried Telegram. My messages were sent in both english and Spanish. And someone in the area of their Colombia midpoint actually got through to them on the phone one day, only to be told by a escritoire that they don’t use Amazon. With repeated and various methods failing, Amazon was contacted, and as we understand it, they did contact their user. But nothing happened. The bucket remained exposed. Enter GDI Foundation, present left. GDI base is focused on responsible disclosure, and they reached out to Amazon, CERT, and of course, Dr. Felipe Amaya’s site. This time, it worked. The bucket is now locked down. Great thanks to @MasterHawkx1 of GDI groundwork for his help on this. And if you would like to be part of their responsible disclosure project, contact him or @0xDUDE via Twitter. But this leak also made me think about that fl phone number on their site. Is that surgeon’s business therefore accountable under Florida breach notification law? And even if they are not, if you are an American thought about medical tourism, you may also want to think about what happens in the event of a privateness or data security breach? do you know if there will live any accountability? In any event, you mightiness think that with the felipeamaya.com bucket locked down, we could respire a sigh of rilievo and reside a bit on our laurels? Heck no, because this morn i started seriously going after the concern that leaked the 750,000 birth certificate applications that Zack Whittaker reported on this week. This site had been aware of that leak since June of this year, and Zack’s report of their failure to live able to gain anyone reminded me that that firm had been on an ever-growing lean of entities to notify. But when the firm didn’t respond to a site touch message I left yesterday, and my endeavour via LinkedIn to make a beginner of the company named in their copyright notice did not produce a response from that individual, i reached out to Amazon, CERT, and the Federal swap Commission. I won’t go into details about this one because I don’t want to tip to the exposed database, but hopefully, someone will acquire that companionship off the dime and I’ll live able to stake an update at some point. spell Amazon and law enforcement appear logical approaches for these types of situations, it would be great if the FTC came down hard on those who not only have inadequate data security but do not respond to notifications. The FTC took activity like that once in the past, but they need to it more frequently and with more serious consequences until entities get the message that they need to have a way to receive alerts and they need to respond to them.