- SA medical data startup LogBox left user data and patient records on a database vulnerable to hackers.
- The company is used or has been trialed by Netcare, Lancet, and Wits University Donald Gordon Medical Centre.
- A security researcher managed to gain access tokens that could have allowed access to the information.
- There is no evidence that data was stolen - merely that it was vulnerable.
- For more stories go to www.BusinessInsider.co.za.
A database containing access keys for thousands of patient records held by SA medical data startup LogBox was exposed to potential hackers.
A security researcher discovered a vulnerability on LogBox’s systems that allowed him to gain access to an external database with access tokens for users. According to the researcher, these tokens can be used to get access to user accounts.
LogBox says the vulnerability has since been rectified and it will inform affected users pending an internal investigation.
In reply to questions from Business Insider South Africa, the company explained that "the vulnerability was in a network firewall, rather than in the LogBox application itself. Specifically, it was a case of an unguarded network port, through which access was obtained to a separate (external to LogBox) database of traffic logs, being used for usage-monitoring and technical support purposes."
The vulnerability comes just after South Africa’s massive new data privacy law, the Protection of Personal Information Act of 2013 (or Popi) comes into effect.
LogBox was founded in 2010 as a way to help you fill in medical forms. Instead of having to fill in loads of forms when you visit a new doctor, your medical information is kept by LogBox, and can be viewed on the app or website.
The company boasts that your “information is secured according to the highest international standards.”
However, TechCrunch reported that a security researcher, Anurag Sen, managed to find a database containing access tokens for thousands of LogBox users. With these tokens, you could gain access to user accounts without needing to know their password, Sen told TechCrunch.
Sen reportedly informed LogBox of the vulnerability but did not hear back. The database was then apparently pulled after TechCrunch reported on the vulnerability.
Under Popi, companies are required to inform the new Information Regulator and its users of data breaches, although companies have a one year grace period until July 2021 to comply with the Act.
The company says that it "will file a report as a precautionary measure and as matter of course, even though what transpired may not constitute a reportable event under the newly-promulgated Popi regulations."
(Compiled by Edward-John Bottomley)
Receive a daily update on your cellphone with all our latest news: click here.
Get the best of our site emailed to you daily: click here.
Also from Business Insider South Africa:
- Cabin fever? Here are top-rated and surprising destinations in your own province to visit
- Another hard lockdown ‘may become necessary’: Here’s what that looked like the first time
- Casinos are open – but for members only, thanks to lockdown ID rules
- SA shares rocketed 26% in just three months – the biggest jump in almost 20 years
- Coca-Cola South Africa stops ads on Facebook, Twitter in protest over racism, misinformation