Security Gaffe Leaves IT Director's Data Exposed

Article date: Thu, 26 Jul 2012 11:12 GMT

cyber security

A gaping hole in an events company's cyber security left not only its whole customer database openly available online, but also scans of its IT director's passport and bank statement viewable via a simple online search.

The security blunder left customers' personal details - including account usernames and passwords, email and home address, phone numbers and which package they requested, from lap dancing to burlesque lessons - openly available to view and download as an Excel spreadsheet.

Discovered through a simple Google search as part of hosting specialist UKFast's cyber security investigation, the database was not the only sensitive information that the events company had neglected to protect. After discovering the gaping hole in the company's security infrastructure, UKFast's security division went on to find personal details of employees including scanned images of the IT director's current passport and bank account statement.

Stuart Coulson, director of data centres and head of UKFast's security team, explained more about the gaffe: "The security experts, including ethical hackers, at UKFast regularly monitor the state of cyber security on the web and often find businesses that believe that, because the data is not directly accessible through their website's navigation, it is not accessible on the web.

"What they do not realise is that Google is incredibly good at indexing and anything that is stored live on the web server will be found by the search engine, leaving it open for the whole world to see."

The hosting and cloud specialist is carrying out a series of investigations into the current state of cyber security in the hope of raising the profile of online data protection with SMEs.

Coulson continued: "We find that smaller businesses do not see the immediate return from investment in fully securing their IT infrastructure, either through outsourcing or in-house training, leaving them easy prey for hackers.

"The damage to brand reputation that a data breach can cause may be temporary for a large firm like Sony but for a small company it can be disastrous; research has shown that 90% of SMEs close permanently within two years of a cyber security breach."

The team at UKFast contacted the affected events business to explain how much data was openly available. According to the business, the htaccess file that had been providing password protection to the protected documents had inadvertently been deleted by a member of staff months previously, leaving private files open for all to see.

Coulson said: "This is a prime example of how important it is to constantly monitor your online presence. The only way to ensure that you are secure is to test for any vulnerabilities, fix them and retest. It should be a constant cycle. Using this simple strategy, this events company could have prevented putting their clients at risk of ID fraud and spear-phishing and risking the company's own reputation."

As part of UKFast's investigation the firm recently revealed that several of the UK's local government bodies had unsecured databases that could be found through a simple Google search and that a hacker's dream super-cracker tool capable of processing 9 billion passwords a second can be bought for less than the cost of a standard PC.

Print this article print this article.Return to Press Releases

Share with: