Breast Cancer Charity Exposed Sensitive Images of U.S. Patients

The Ardmore, Pennsylvania-based cancer charity Breastcancer.org suffered a massive data loss impacting thousands of its registered users.

The IT security researchers at SafetyDetectives identified a misconfigured Amazon S3 bucket that was left publicly available without any safety protocols in place. Further probe revealed Breascancer.org, a US-based charity, owned the bucket.

The bucket was identified on 11 November 2021, and the files stored dated back to April 2017, while filenames suggested some images dated back to 2014 and 2017.

SafetyDetectives informed Breastcancer.org about the exposed bucket on 17 November 2021 and again on 21 November 2021. Later, the US Computer Emergency Response Team (CERT) was notified about the misconfigured bucket.

The unfortunate incident resulted in the exposure of thousands of files to the public, including sensitive images of the charity’s website users. It is worth noting that Amazon doesn’t manage this bucket, and therefore, the misconfiguration isn’t Amazon’s fault.

It shouldn’t come as a surprise since misconfigured databases is a big problem for businesses. Earlier this week, Group-IB researchers published their findings revealing that they discovered 308,000 exposed databases across the globe.

About Breastcancer.org

Breastcancer.org is a non-profit organization established in 2000 to offer the most advanced, scientifically-backed research on breast cancer and offer free breast health advisory via its website to empower women.

The Ardmore, Pennsylvania-based organization’s website receives more than 28 million visitors annually and boasts 220,000 registered members. Given the company’s global reach, it is evident that the data exposure must impact a significant number of users in the USA and Europe.

Details of Exposed Data

The bucket exposed more than 350,000 files, containing around 150 GB of data. There were reportedly two datasets on the exposed bucket: User Avatars and Post Images.

According to a blog post published by researchers, user Avatars contained profile pictures of the charity’s registered users. There were approximately 50,000 user avatars in the exposed dataset, and most of them feature images of the users. Furthermore, Post Images were also uploaded by Breastcancer.org’s users. The bucket contained more than 300,000 post images.

Sensitive Data Also Exposed

A portion of data contained sensitive user images, including detailed EXIF data that can reveal device details such as the camera model and brand and the image’s GPS location. This information may allow malicious threat actors to identify users’ locations and harass them.

US-based Charity Breastcancer.org Exposed Sensitive Images of Users — Test results (left) – Topless photo of a cancer patient (right)

Some post images also featured sensitive images intended for private viewing. Such as, there were medical test results, ultrasound results, and nude images taken for medical use. This type of content a user wouldn’t like to make public. Another alarming fact was that the open bucket was live and updated when it was discovered.