BTW, names have been omitted on advice of our lawyers.
It all started when I tried to sign up my then fiancé for a health care plan. After creating the account, the “request a quote” form was long, more than ten pages of questions about pre-existing health conditions. I ended up not having all of the information at my fingertips, luckily there was a save and continue later button. A few days later I went back and started typing in the domain name and my browser recommended the last URL of the domain. To my surprise, the form page with all my information opened. No redirect to a login page.
Interesting.
I copy/pasted the full URL into another browser and the page opened, no login required. Wow, personal info, credit card, health history – all there without login. The URL had an id=55237 parameter. Now I got curious and concerned at the same time. I changed the id=55236? OMG, it opened the page of a different person without any login. 55235 same thing. 44567, same thing. How could be such sensitive data not be secured?
I went on their homepage looking for a number to call. When I finally got through their voice menu, the receptionist asked me for my customer number. “I don’t have customer ID, but I would like to report a security problem on your website.” “Sir – without a customer number I can’t help you.” “Ahmm – seriously? Let me speak to your manager.” “Sir – without a customer ID I can’t put you through to my manager”. “No, you don’t understand – I managed to get access to all your customer data on your website and want to report this.” After endless minutes on hold (and me sweating that my personal and financial data was at risk), I hung up. There were other numbers listed but all ended up in the call center. I tried sending messages to their technical management folks on Linkedin, 30 minutes later – nothing.
I found the number for the PR department. A woman picked up and I explained that someone technical needed to call me back immediately. Finally a young man from the privacy department called me. At first, he thought I was trying to pull a prank. “We are the largest healthcare provider in California, we take security seriously…” I managed to convince him to open a browser and gave him the full URL. Long silence as I had him change the ID to a few different numbers. He became very nervous and promised to call me back in a few minutes. The next call came from a VP. “I want to inform you that we took our complete website offline investigating the security problem, all senior management is informed including the CEO.” Nice. Finally they took me seriously. To their credit, they kept me in the loop over the next few weeks as they crunched through the log files analyzing if IP’s might have accessed more than one customer page.
Interestingly enough, more than a year after this event, Datameer has become one of the leading big data, cyber security solution providers. Today a significant number of our customers are using Datameer to analyze log files to identify abnormal server access patterns and perform security forensics. For example, we have customers that analyze their public websites, tracking pages and APIs to identify attacks early. A major private investment service provider is analyzing server logs from hundred of servers in their service oriented architecture to understand system interaction and behavior. Two of the leading anti-virus companies are using Datameer to identify threats early and understand pattern spread by analyzing honey pot log files and virus scanner signals.
BTW, my healthcare insurance application was rejected and the healthcare company is not yet a Datameer user.