With increasing regularity, personal information is turning up on websites. As a result, it is being picked up by search engines and therefore accessible by anyone on the Internet. For example, last week, the personal details of patients from a hospital in Westerly, in the US, appeared on an open-access site. In another case, the site for Johnny’s Selected Seeds leaked the credit card numbers of its clients. InfoWatch experts emphasize that the Internet is one of the main channels for information leaks.
The details of 2,000 patients from a hospital at Westerly, Rhode Island, have appeared on a website. Who posted the information on the site is not known. The hospital administration has no idea how the data got out. In addition, the patient details were quite detailed: Names, illness history, operation details and insurance information. InfoWatch experts point out that the hospital will have serious problems since, according to US law, those guilty of allowing a leak of medical details stand to be prosecuted and the company itself subject to a multi-million dollar fine.
The leak was identified by a woman who fell victim to it. She simply found her own telephone number via a search engine. As soon as the police were informed about the site, it was closed down. But nobody can say how long this data was online and who looked at it. The hospital now has to inform all those affected and set up a call center, etc. This will cost a minimum of 1 million USD.
Our next offender is the Johnny’s Selected Seeds company. At present, it is busy trying to fix its site. On it, details of clients’ credit cards and company contractors were exposed. In all, 11,500 accounts were compromised. The company called in the FBI which immediately began an investigation. They have declined to comment, but company spokesmen were a little less guarded. As a result, we understand that the numbers of 20 cards have been used for fraudulent purposes. Johnny’s Selected Seeds does not admit guilt for the incident, although by state laws it had to send notifications to those affected. According to the InfoWatch Analytical Center, herein is one of the key differences between the storage of private details in the US and in Russia. If such a leak took place in Russia, then no F3 “Personal data” law – or any other law – would induce a Russian company to declare the leak publicly. It would simply be hushed up. But in America, a company has to publicly declare a leak incident even though it does not see itself as culpable.
Denis Zenkin, InfoWatch’s Marketing Director said, “When information is posted on websites, it is a simple step for it to be picked up by standard search engines. What’s more, private information is even cached and stored on various mirror sites meaning that it is impossible to erase, making the leak irreversible.”
Sources: Boston.com, Kennebec Journal