Staff training mishap
Sensitive personal data has been shared online in the latest data breach to affect a business in the UK.
Major office space providers, Regus, had been recording its staff for training purposes and had personal information and performance-based details compiled on its employees. Regus’s parent company, IWG, employed third-party mystery shopping firm, Applause, to carry out undercover training for them.
Set to ‘private’
The personal details of 900 Regus employees were then found published online on a public Trello board (a software-based organisation tool). This data breach comes after government and NHS departmental information had been leaked via the tool over the past few years.
Trello boards are set to ‘private’ by default and must be manually changed to ‘public’ by the user. Safeguards do however exist to alert the user and confirm that the board is being made ‘public’.
As search engines index public Trello boards, anyone could, in theory, see the data. A Telegraph report found that a spreadsheet with names, addresses and job performance data was easily found on Google.
Regus is said to be very concerned that a third-party had published the findings of their training programme online. They took immediate action and had the content removed, but it is unknown how long the data was publically available and whether any of the data got into the wrong hands.
The data breach was allegedly not reported to the UK’s Information Commissioner’s Office (ICO), which is the protocol for companies in the UK to report any breaches within 72 hours of detection.
As well as Regus’s own staff, the personal details and contact details of the external researchers at Applause were also leaked. Applause is said to be changing its security practices following the incident.
This certainly isn’t the case of blaming Trello and its security practices, but rather a strong warning for companies to reassess where are how they store their data in the future. It does also pose the question of whether organisations should be using third-party software tools to store sensitive information.
Would you be worried if your work-related data had been shared online? Let us know @hyve!