“During a routine IT operation, our server was temporarily opened last month,” a Neoclinical spokesperson said.
The company has temporarily shut down its website and has informed the Privacy Commissioner.
Neoclinical’s chief executive is Geoff Denman. According to the Australian Financial Review, Mr Denman was one of the ad executives behind the “Kevin07” campaign that put Labor’s Kevin Rudd in The Lodge. He was also behind the mining industry’s assaults on Labor’s mining super-profits tax and carbon tax.
Questions answered by participants included: Do you suffer from an immune system disease?; Do you use illegal substances?; How often do you use drugs?; Do you have an implanted cardiac device?; Where is your skin condition located?; and are you looking to regain bladder control?
“A US cyber security company which trawls the internet looking for data access found a way to get around the password protection and access our server,” the Neoclinical spokesperson said. “The cyber security company advised Amazon Web Services, who are our hosting provider, who in turn advised us.
“On receiving this advice we immediately shut down all access to the server. Once the breach from the cyber security company was confirmed, we immediately contacted the Privacy Commissioner’s office about the event and we are informing everyone whose details may have been affected.”
The Neoclinical spokesperson said they did not believe the information exposed would “be used in a malicious way” by UpGuard. “We are seeking reassurances to this effect from the company which breached our server and are contacting them today,” they said.
“We take confidentiality and this breach seriously, to the extent that our site will continue to remain in lockdown and operations suspended until such time that we can be certain that a breach of this kind cannot occur again.”
UpGuard said it uncovered the database on July 1, when one of its computer security researchers detected a database named “neoclinical” on the internet.
“That day the researcher sent an email notification to Neoclinical,” UpGuard said. “The researcher called both phone numbers on Neoclinical’s website, one of which was disconnected and the other [which] was configured to record a 10-second message to be transcribed and sent as text.
“On July 25 the researcher escalated notification to Amazon Web Services security, which followed their standard procedure of saying they would notify the owner of the database.
“On July 26, public access to the database was removed.”
UpGuard said this case was a reminder to participants of clinical trials that “whenever they pass information to a third party, they should consider the impact of that data being exposed”.
“And for companies, it should highlight the importance of having an incident response capability so that when data leaks occur, they can be mitigated within hours rather than weeks,” UpGuard said.
The Privacy Commissioner was informed on Wednesday, after the Herald and The Age contacted Neoclinical.
Ben Grubb is a Desk Editor/Locum Homepage Editor for The Sydney Morning Herald.