How to proceed if the admin and the responsible CERT do not resolve the issue?

Question

About six months ago, while trying new google dorks, I stumbled upon an open folder containing personal files.

To my surprise, google had led me straight to the misconfigured folder of an employee of a well-known science institute. It contains research data mixed with personal photos and financial documents.

I was relieved to find they had the right infrastructure in place; their public PGP key was readily available. But after contacting the security admin and getting his assurance he would check it out, nothing happened.

1.5 month ago, I also reported the details to my national CERT, who agreed to act as an intermediary, and resolve the issue. Still nothing. The page still loads.

I've never been in this situation before, info leaks of this magnitude always get resolved smoothly in my limited experience. So i turn to SE for advice.

What would be a good course of action here? I could alert the affected user, he would be motivated to get this resolved. But i'm not sure that's appropriate and risk-free in this situation.

Answer 1

The important things to answer are:

• What's the ethical thing to do?
• What's the morally right thing to do?
• What's the legal thing to do?
• Do I have to act?
• What would happen if I didn't act?

I think there is general agreement that it was a right choice (morally and ethically) to notify the local IT staff, as well as the the appropriate CERT.

Now that has been exhausted, what's next? We should probably look at what would happen if you sat on your hands and did nothing else:

• You did the morally right thing to do
• You did an ethically sound action
• You are covered legally, as you reported the issue
• Someone else could potentially find the personally sensitive documents

When I submit a security issue, I always get something in writing. From my time in law enforcement, I had a strong policy of CYA, better known as "cover your a**". It's unclear if you did this, but this leads into, "Should I follow up?". You are under no bounds to force people to dig this back up, but you may want to. I would advise speaking with the individual directly, by email, instead of the CERT. You could word the email this way:

Good afternoon,

It's important that the two of us communicate, as it has come to my attention your personal files are out on the web.

I have notified the local IT team and was hopping they would follow up with you, this doesn't seem to be the case.

I would strongly recommend we talk about this, as the documents (at least from the file names) look to be personal and sensitive. I respect your privacy, and that's why I'm emailing you now, as someone has failed their duty to bring this to your attention.

You can give me a call at XXX XXX XXX ext. XXXX or email at XXXXXXX@XXXX.XX

Thanks.

I have found it important not to put too much information in the email, as it pertains to potentially private information, and you don't know who will be reading the email. Also avoid putting links in emails like these, as spam systems might throw the message in the spam folder to never see the light of day again.

Looking at the situation, you are again under no obligation to dig this all back up. From the sound of it, patching privacy issues is not your concern, it isn't your job to do. However, out of the respect of the person, you would want to consider emailing/phoning them, as someone else seems to have failed their job. The only two repercussions that can come out of it are:

• They say thank you, and they get to work about fixing it themselves
• They become angry, thinking you have "hacked" into their files, and report it.

With the last option, if it's likely, attach a copy of emails you have sent so that the end individual is aware you tried to resolve it.