Whether it is a personal board to keep track of shopping lists, or a shared board with colleagues to coordinate team tasks, many people use Trello – the online collaboration platform that has transformed the to-do-list as we know it.
However, the platform is not without its downfalls. Whilst Trello boards should be set as private by default, where only members of the board can see and edit the contents, users can easily, and perhaps unknowingly, make their boards public – meaning anyone on the internet can see it.
Search engines, such as Google, index public Trello boards, making it easy for anyone to search for the contents of a board using a ‘dork’ search (also informally known as Google hacking). This is where users can use advanced search operators to find information that is not readily available on a website. So, if you have your ‘bills to pay’ list on a public Trello board – your finances are wide open for the world to see.
Following the recent news of office space company, Regus, exposing the performance ratings of hundreds of its staff via a public Trello board, cybersecurity experts have started to dig deeper on other potentially exposed public data.
Craig Jones, Global Cybersecurity Operations Director at Sophos, has been following Trello’s online security issues since 2018 – and what he has found is quite alarming.
Staff boards showing personal information such as names, dates of birth, emails, ID numbers and bank details were stored on public boards for anyone to access – identity theft waiting to happen. Other work boards belonged to HR departments, displaying job offers, salaries, bonuses and contractual obligations. A housing company even used a public Trello board to detail fixes required in various houses – including broken door locks!
Who is to blame?
Whilst it would be easy to blame Trello, the fault really lies with the user. Michael Pryor, Trello’s co-founder, maintains that all Trello boards are set to private by default and that “visibility settings are displayed persistently on the top of every board”.
We can assume that these boards are not deliberately set to public by the companies running them, which suggests a lack of education in the platform they are using. Craig Jones commented, “These tools are so accessible to people. They’re accessible to people who don’t necessarily understand their full function, and their accessibility is also a curse in some senses”.
Do you use Trello?
There is a simple fix to safeguarding your personal data on Trello – set all of your boards to private! Perhaps a more obvious move is to avoid putting any information that you wouldn’t want to end up in public view on the internet in the first place – not just on Trello, but on any digital service.
Have you checked if your Trello boards are private? Let us know your thoughts about Trello’s recent security issues @hyve!