STEAM ROOM FOR ANGER

🤬🤬🤬

I just learned why they disabled images. A data safety org found BCO had our images exposed (possibly for years), but they didn't respond to notifications for over 5 months!

Here's the text. The safety org recommends filing a consumer complaint to the Pennsylvania Attorney General.

————

• May 3, 2022
• Dissent

Update: After posting this, tweeting this story, and getting retweets on it, it appears that as of late yesterday, the bucket was finally secured. Thanks to SafeyDetectives who kept re-checking the bucket and to everyone who tried to call attention to this to get the data locked down. DataBreaches did not get any acknowledgement or response from BreastCancer.org — at least not yet. DataBreaches has not changed its opinion that an investigation is needed to determine for how long these data were exposed, whether they were accessed and downloaded, and why BreastCancer.org failed to respond to multiple notifications over a period of five months.

SafetyDetectives recently reported that Breastcancer.org has been exposing sensitive information in a misconfigured AWS bucket. According to their report, exposed data included more than 50,000 registered user avatars and more than 300,000 post images with EXIF data.

Some post images featured sensitive content that felt as though it was intended for private viewing. For example, there were results from medical tests and images of nudity (most likely taken for medical purposes) included among the files — contents that a user would not typically post publicly.

The data may have been exposed for years.

Read more on SafetyDetectives.

One point that wasn't clear from SafetyDetectives' report was whether the bucket had been secured. SafetyDetective started reaching out to BreastCancer.org in November of 2021. They describe their multiple efforts but no outcome was reported. DataBreaches reached out to SafetyDetectives and received the following reply:

… unfortunately the bucket is still unsecured, we tried reaching the organization several times to different email addresses (including their privacy email, CEO, and basically all the people on their about page), we even reached out via social media (we tried reaching them publishing a post, because they don't accept private messages), but they haven't reply back. We reached out to the US CERT but they didn't reply and AWS did reply, but the thing is that they cannot actually secure the bucket, but to tell the owner that they need to secure it.
We published our report hoping that they would reach out to us to secure it but they haven't gotten back to us yet.

So more than 5 months after responsible disclosure attempts began, the bucket was still unsecured. DataBreaches reached out to BreastCancer.org through their website contact form, and like SafetyDetectives, got no reply.

DataBreaches left them a second message on their site telling them that we would be reporting in 48 hours and to lock down their data. There was no reply and the bucket was not secured.

At 8:00 am this morning, DataBreaches left a voicemail on their office phone. It reiterated that people had been notifying them for months but they had failed to lock down their Amazon storage bucket and that DataBreaches would be reporting on it this afternoon.

Still nothing, it seems.

The organization's privacy policy page contains this statement:

How We Protect Your Information

We use reasonable and appropriate administrative, technical, and physical safeguards to protect the information that we have about you from loss, theft, and unauthorized use, access, modification, or destruction. We also require third-party service providers acting on our behalf or with whom we share your information to maintain security measures in accordance with industry standards.
Although we have security safeguards in place, we cannot guarantee absolute security in all situations. If you have any questions about our security practices, please contact us as described in the "Contact Us" section. For your own security, please do not send any confidential personal information to us outside of our Services. It is also important that you maintain the security and control of your account credentials, and not share your password with anyone.

Except that they don't respond to contacts.

Pennsylvania regulators need to look into both the lack of security and BreastCancer.org's failure to respond to repeated notifications that they were exposing personal and sensitive information.

If you wish to contact the Pennsylvania Attorney General's Office to file a consumer complaint, you can find information and an online complaint form linked from here.

If anyone has a contact at BreastCancer.org or has influence with them, perhaps you could reach out, contact them, and tell them to lock down all that sensitive information already!

And if you ever used their site and shared personal and/or sensitive data, perhaps you should contact them and demand that they secure your data.

It’s BCO that caused this mess. Thought they were a cancer support organization???

On the glitches thread, they’ve posted the usual horse crap.

molliefish, I've now lived long enough (I'm 75) that I get what my grandmother told me...nothing stays the same. It didn't make sense to me then and now I get it. That doesn't mean its not a tremendous loss on so many, many levels. I don't know what I would do if I were on the Stage IV boards. Nor would I know what to do if I progressed to Stage IV and where would I go?

I'm still here. I don't like the changes, but without my friends here, I'd be lost! Wrenn, I had a moment of panic when I read your post, thinking that BCO was closing the forums. At this point with Stage IV, I come here often for support, laughter and of course this Steam Room for Anger. You ladies all make my day.

Carol

wc3, I'm SOOOO sorry! It's unbelievable that someone would knowingly put you at risk for such severe consequences. I'm sorry you're sick, I'm sorry you're having to reschedule all of your appointments (especially the hysterectomy) and all the rest.

I hope you start recovering very soon.

(((hugs)))

Carol

bcincolorado, thank you. I'm really sad that things here are going so badly. We all get used to each others stories. I'm always interested in hearing what's happening with you as well....

Something got corrupted on those last 2 pages . I was able to add posts to get to a new clean page.

Click on the last page. That should work.

exbrnxgrl - It might have been one of my posts in trying to help Alice that corrupted the pages . I copied a block of text to start a new topic. Normally I would take a screenshot. 🙄

I assume mistake before corruption.

We have zero intention of closing the community. We are working toward a MUCH improved platform, and fix. We're so sorry for everything you've experienced.

Mods- you might keep a forum platform, but the lack of available information & support from our "sisters" is what has destroyed the site. Molliefish, a few hours ago was correct, BCO as we knew it is over. 2 months you've wasted our time and taken away our reason to come here. Your tech disaster became our problem and maybe we should just "let it go". If we are interested in 6 months, maybe some can restart....for those of us stage 4 that can seem too farout for help.

nopink2019 and all you other ladies, ever since this forum changed "for the better" I haven't been happy with it (an understatement) and now a data breech? I'm just catching up on the news...was sick with covid. Haven't been that sick in a very long time. Still don't feel good but am better. It's warmed up so at least Ican be outside. Idk if I want to stay on this forum

Sunshine99:

Thank you Carol! The core issue seems that a lot of people, my friend included, tend towards denial when they are sick with cold like symptoms if the syptoms are mild or just beginning. My mother does this. All sore throats are because she slept with her mouth open facing the fan. But really, it has never been because of the fan.

Hate all the covid and the problems it is causing. We are trapped in our house due to immune issues. Go to doctor appointments and that is it pretty much. Masking and distancing anyway there. Cancer has taken so much from our lives already and and cna't even travel we feel. So sad.