Transparency is usually considered a good thing. But when it means your company is an open book, it’s gone too far.
One of these instances came to light recently when vpnMentor, a firm that bills itself as an “ethical hacking group,” discovered an alarming lack of e-mail protection and encryption during a web-mapping project regarding an international piping, valve and fitting manufacturing organization.
I’m going to shield the name of the company in the interest of “discretion being the better part of valor,” but the company’s data that was found to be visible is amazingly broad and deep. Reportedly it included:
- Project bids
- Product prices and price quotations
- Discussions concerning suppliers, clients, projects and internal matters
- Names of employees and clients
- Internal e-mail addresses from various branch offices
- Employee IDs
- External/client e-mail addresses, full names and phone numbers
- Information on company operations
- Travel arrangements
- Private conversations
- Personal e-mails received via company e-mail addresses
Basically, this company’s entire business activities are laid out for the world to see.
The vpnMentor research team was able to view the firm’s “confidential” e-mail communications. Amusingly, the team saw its own e-mails it had sent to the firm warning about the security breach (that the company never answered).
“The most absurd part is that we not only know that they received an e-mail from one of the journalists we work with, alerting them to the leak in this report, but we [also] know they trashed it,” as one of the team members noted.
The company in question isn’t some small, inconsequential entity. It operates in 18 countries including the biggies like Germany, France, Germany, the United States, Canada and Brazil. So the implications are wide-ranging, not just for the company in question but also for everyone with which they do business.
The inevitable advice from vpnMentor to other companies out there:
“Review your security protocols internally and those of any third-party apps and contractors you use. Make sure that any online platform you integrate into your operations follows the strictest data security guidelines.”
Are you aware of any security breaches that have happened with other companies that are as potentially far-reaching as this one? It may be hard to top this particular example, but if you have examples that are worth sharing, I’m sure we’d all find them interesting to to hear.