A preventable security lapse exposed sensitive recordings of domestic abuse victims

Data breaches involving personally identifiable information always pose risks for individual safety. But it's astronomically more terrifying for domestic abuse survivors.

Abusive husband beating his wife. Vector artwork depicts domestic problem, exploitation of women, se...

Cybersecurity firm vpnMentor has discovered a data breach affecting the domestic violence prevention app known as the Aspire News App that it says could easily have been prevented with a few rudimentary security steps. The app appears as a news app on the user's smartphone and can be activated to alert a trusted contact to potential and already-occuring domestic violence. With proper security, it can save lives.

What we know — According to vpnMentor, the data breach that hit Aspire News App led to the leaking of at least 4,000 recordings of domestic abuse survivors. In many instances, researchers highlight that survivors could be heard giving their personal names, addresses, phone numbers, and revealing the disturbing and distressing nature of the abuse occurring at the time. All of this sensitive information was stored in a misconfigured Amazon Web Services bucket — which the researchers note is usually the "result of an error by the owner," not Amazon.

It's a lesson to all developers but particularly anyone involved in providing tech support and storage to vulnerable groups. In this specific instance, data privacy is top priority. Any sort of lapse on that front directly endangers people seeking safety from their abusers.

Timeline and storage issue — The data goes back to recordings taken in 2017 up to 2020. The potential repercussions of such recordings reaching the public is that abusers can use the personally identifiable information to blackmail survivors or reveal their identities and others associated with them to endanger their lives. It can potentially trigger trauma in affected survivors and force them to remember deeply upsetting incidents from their past.

The breach was addressed on June 24, according to vpnMentor. Researchers have advised the app's developers to seriously contend with proper access regulations, authentication protocol, sound configuration of storage buckets, and securely encrypting data.

Do better — It should not have to be said, but apps and websites concerning domestic violence have a special obligation to maintain solid security and access protocol. Any kind of failure on that front results in creating hurdles in the very mission of these programs: that is, to protect and shield domestic abuse survivors from the people who seek to hurt them.