SoylentNews is people
SoylentNews
Another week, another leak:
A misconfigured MongoDB server belonging to Abbyy, an optical character recognition software developer, allowed public access to customer files.
Independent security researcher Bob Diachenko discovered the database on August 19 hosted on the Amazon Web Services (AWS) cloud platform. It was 142GB in size and it allowed access without the need to log in.
The sizeable database included scanned documents of the sensitive kind: contracts, non-disclosure agreements, internal letters, and memos. Included were more than 200,000 files from Abbyy customers who scanned the data and kept it at the ready in the cloud.
"Some collection names like 'documentRecognition,' or 'documentXML' hinted that database would be part of a data recognition company infrastructure," Diachenko writes in a blog post today.
[...] Volkswagen, Deloitte, PwC, PepsiCo, Sberbank, McDonald's are just a few of Abbyy's clients.
Should have used invisible ink.
(Score: 0) by Anonymous Coward on Thursday August 30 2018, @08:11AM (4 children)
When, oh when will we finally see legislation to penalize this kind of criminal negligence?
I mean, sure, there's lots of things that can go wrong in IT, but *comeon*! They didn't even *have* a fucking password on a public-facing server?!? How incompetent can a single person possibly be?!?
Do you think a bank could get away with leaving the vault open and then saying "Oopsie! We may be sorry or not. And we'll just assume that nothing bad happened." ?
/insert standard disclaimer abou "somebody else's computer"/
(Score: 0) by Anonymous Coward on Thursday August 30 2018, @08:14AM (1 child)
PS: can the non-disclosure agreement now be considered breached?
(Score: 2) by BsAtHome on Thursday August 30 2018, @10:03AM
If the disclosure of the existence of the NDA was specified, yes, that part would probably be void. At least, if you can argue that the breach caused the NDA to fall into wrong hands.
The disclosure of other information covered under the NDA is much harder to argue. Such information is not specified in the NDA itself and you would need to prove that someone else has gathered the specific information from elsewhere (either from the breach or elsewhere). That burden is much higher.
(Score: 2) by PiMuNu on Thursday August 30 2018, @09:07AM
It already is in Europe:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation [wikipedia.org]
I thought this was an interesting wikipedia entry also:
https://en.wikipedia.org/wiki/Criminal_negligence [wikipedia.org]
(Score: 0) by Anonymous Coward on Friday August 31 2018, @09:43AM
I have an account in a bank with all written denials about processing my data for marketing. No agreement to pass the data to companies for marketing goals, to send newsletters, to use the data for any other purpose than bank procedures. Good, but about 2 years ago I started to receive e-mails with spam from this bank. I decided to investigate the case. First phone - they told that it has to be coincidence. Yeah, you have so many profiling scripts on the bank webpage, scripts which I had to run to use services, to connect me with a contract which prohibits marketing information and to tell partners who serve these scripts that I don't want any spam...
But the true circus started when I went to the bank to prolong the account and open another one with a bit higher % of interest. I asked about the spam and I got answer that "there was a breach". Wait, it's not a spam about Russian black-market steroids for my pecker (genuine fake watch gratis), but it's a spam from you! What breach exactly?
"The company which sent e-mail for us got access to a full database".
And what next? Any way to revoke this access and deny processing?
"It has been revoked, but e-mails are in their database." WHAT? It's not a village bank lead by local alderman, as you read since the first sentences of my post, it's quite large bank group :).
My opinion is that there was no breach at all. Just the bank, probably on some country department level, wanted to send spam, so they used breach as excuse.
The problem is that we can't do much with it. It looks like a case famous in my country, in which a company has been sued for violating GPL. They just delayed all investigation until the product became obsolete and people forgot about its software.
There must be some responsibility, but the problem is that no company wants it because:
1. It's easier to still transfer data with breach as excuse.
2. Nobody in a large company understands the system in 100%.
3. Terminals and thin clients are obsolete and insecure as hell.
4. With current state of imaginary... err.. intellectual property it is impossible to audit a system completely.
So the responsibility will not work - there will be a "breach". And even if we introduce the responsibility for breaches, this will end with seeking a single scapegoat instead of punishing a company's business accordingly.
Introduction of a centralized data processing blacklist in form of forbidden hashes may be a good idea if introduced on a system level. Then the data will just not be present in proper databases, but every time somebody says about standardization, at least in my part of world, all companies screech about return of communism :D.