We are presently in one of the most hostile cyber environments that have ever existed. However, this by no means implies that every privacy or security breach is solely the work of some cyber criminal or hacker.
This perspective was fully supported in a recent privacy breach where an application developer’s Azure blob was left completely exposed and up for grabs over the internet. It is incidents like these which act as a stark reminder that security is a whole mindset.
While this is still a developing story and UK’s Information Commissioner’s Office is also looking into it, there was little to no official word from the entity in question, a Surrey based app developer called Probase.
Ironically, the blob contained highly sensitive and confidential records of a wide range of Probase clients. With no security controls in place whatsoever, the blog was entirely public facing and anyone with a file address could access this information.
It is estimated that the blob contained over half a million sensitive and confidential records. Although there is still speculation about the exact age of the data therein, some records examined by independent privacy experts point to at least the year 2013 till date.
Some of the data stored in the unsecured blob included health records of aspiring job candidates, insurance claim documents, professional assessments of senior barristers about their junior counterparts and much more.
The blob in question was being used by Probase to manage the data related to one of the app developer’s CRM products. The estimated 587,000 files varied from emails, letters, spreadsheets, screenshots and more.
The issue was brought to light by an information security researcher, Oliver Hough. There are two sad sides to this story. Firstly, the issue was reported by an “outsider”, who was not directly an employee of Probase.
Secondly, had this issue been pointed out by someone from within the organization, we as the general public may have never learnt about the matter altogether. Leaving these ironies aside, this incident is yet another reminder for us all to reassess our privacy and security.