Trello boards indexed by major search engines put at peril business processes of Russian companies

04.06.2021

Back to blog list

Almost a million Trello boards, thousands of which contain corporate data of large and small Russian companies, were publicly available.

Alexey Parfentiev, leading analyst at SearchInform: “Scammers can use data from the boards to attack company customers or hack corporate Instagram accounts - last fall there was a surge”.

For now, Trello is one of the most popular task managers in Russia - it is used both by SMB segment and by large organizations, including banks.
On Trello boards organizations used to post: 
· lists of employees and customers
· contracts
· passport scans
· tender and product development documentation
· credentials from corporate accounts and passwords from various services, etc.
Such negligence resulted in more than 9 thousand boards featuring highly sensitive information being publicly available.
Default settings presuppose restricted access; however, for their convenience users change them to public ones. In this case, the boards start being indexed by search engines.

Open-board-problem is not a new phenomenon. Thus, in 2017, Trello boards exposed data from Rostelecom (Russia's leading long-distance telephony provider.), Acronis (global technology company), and MTS (the largest mobile network operator in Russia) In 2018, KrebsOnSecurity also reported a leak from ride-hailing service Uber.
 
Alexey Parfentiev, leading analyst at SearchInform:
For exposing employee and customer confidential data companies may face fines under the Personal Data Protection Act. In February 2021, the State Duma passed a bill to increase the fines for violating the law on Personal Data. 

For now, the main recommendation for Russian companies is to switch to paid online project managers or avoid posting confidential corporate information in Trello.


User behavior Messengers, social media, apps Risk management