38TB Private Data Leak and $9,000 Fine for 7 Years of Customer Data Exposure
20.09.2023Back to news
In a new roundup of recent information security incidents, we examine two more cases of inadvertent disclosure of private information.
The first occurred in a large organization and was caused by the negligence of an employee.
Microsoft leaked 38TB of private data. This high-profile incident occurred when an employee inadvertently shared an "overly permissive" access signature (SAS) token.
Cloud security specialists Wiz.io. have discovered a link for an Azure Blob store shared by a Microsoft researcher in a public GitHub repository, while contributing to an open-source artificial intelligence (AI) learning model. The link itself contained the SAS token for an internal storage account. The token was configured to grant permissions across the entire storage account, which contained the backups of Microsoft employee workstations with employees' personal information, credentials, secret keys, and 30,000 internal Teams messages. It is claimed that anyone who clicked on the link was even given written permission to the storage bucket, not just view permission.
No customer information was affected, so no customer action was required and the scope of the data leak was limited, according to Microsoft representatives.
The second incident began back in 2015 and could have had far more serious consequences than it actually has.
Century Evergreen, was fined $9,000 by a Singapore data privacy watchdog for leaking the identities of 23,940 people.
The organization mentioned above is a manpower service provider. There are provisions for job seekers to upload identification documents to the company’s website to confirm their identity. However, Century Evergreen failed to properly secure these documents and, due to a website vulnerability, applicants' personal information was available to anyone who wanted it.
The disclosed documents contained the personal information of nearly 24,000 applicants, including
- Full names
- National registration identity card (NRIC).
The incident came to light after the Personal Data Protection Commission (PDPS) received a complaint reporting the vulnerability. Upon investigation, it was discovered that the vulnerability had existed since the site's launch in 2015.
Representatives of Century Evergreen admitted that the company had failed to include security requirements to protect personal data in its contract with the vendor that developed and maintained the website. The amount of the fine took into account the organization’s guilty plea, the speed with which it acted to address the vulnerability, and its poor financial performance over the past year.
To prevent your company's employees from becoming the heroes of our regular reviews, take care of your business's document flow with our helpful how-to document.