Serviced offices and co-working space provider Regus has suffered a data breach that saw job performance data on more than 900 employees of Regus owner IWG published online.
The incident occured after IWG commissioned mystery shopping business Applause to audit sales staff performance using covert filming. However, the results - listing names, work contact details and performance data - were accidentally leaked through task management website Trello. A spreadsheet containing the information could be mined via Google search, according to the Telegraph, apparently due to accidentally setting the Trello board to ‘public’.
— James Cook (@JamesLiamCook) 20 January 2020
The Regus files were leaked through a public Trello board - the same issue which meant we were able to find internal government and NHS files in 2018 https://t.co/gdOyZ2BFUb
"We are extremely concerned to learn that an external third-party provider inadvertently published online the outcomes of an internal training and development exercise. As our primary concern we took immediate action and the external provider has now removed the content," a Regus spokesman told the newspaper:
"Since being made aware of this issue, we have reiterated our InfoSec policies with our worldwide employees, and have run an internal audit to confirm that there are no other unapproved third-party software tools being used in any client engagements," an Applause spokesman told The Telegraph.
The UK’s Information Commissioner’s Office refused to comment on whether the breach had been reported or not.
This type of third party breach might be down to human error, but the level of business risk involved should not be underestimated, said Mark Kedgley, CTO at New Net Technologies.
"The GDPR teeth are already biting, with over €100 m (£83 m) in fines already issued across the EU since the 2018 legislation came into action. In the UK, it seems the ICO are still using fines sparingly to maximise the impact when they do, with BA made an example of last year with the threat of a £183 m fine for their security lapse," he told SC Media UK.
"The message to all business operating within the EU region is clear: breaches involving the exposure of personal information will cost you financially and in customer trust. The best advice is to review your internal security operations against the CIS Controls to maximise cyber defences, and always make use of encryption where possible for personally identifiable information as a backstop, so that even in the event of a breach, the data is unusable."
This data breach will very likely result in another EU GDPR discussion about the importance of security by design when processing or collecting personal information, said Thycotic security scientist Joseph Carson.
"Many companies continue to sacrifice security for convenience when using collaboration tools and lack a sufficient risk assessment before storing sensitive information. Companies need to put security first as a critical priority and assess risk before using such tools to store personal information," he told SC Media UK.
"The importance of privileged access management is crucial here. Any database, system or solution that stores sensitive data must be protected first by a strong privileged access management solution that will force authentication and authorisation and reduce the risk of open share and public database being exposed in the future. Don’t be the next victim and assess your security before placing personal data and put privileged access first before using such collaboration solutions."