Another week, another leak:
A misconfigured MongoDB server belonging to Abbyy, an optical character recognition software developer, allowed public access to customer files.
Independent security researcher Bob Diachenko discovered the database on August 19 hosted on the Amazon Web Services (AWS) cloud platform. It was 142GB in size and it allowed access without the need to log in.
The sizeable database included scanned documents of the sensitive kind: contracts, non-disclosure agreements, internal letters, and memos. Included were more than 200,000 files from Abbyy customers who scanned the data and kept it at the ready in the cloud.
"Some collection names like 'documentRecognition,' or 'documentXML' hinted that database would be part of a data recognition company infrastructure," Diachenko writes in a blog post today.
[...] Volkswagen, Deloitte, PwC, PepsiCo, Sberbank, McDonald's are just a few of Abbyy's clients.
(Score: 0) by Anonymous Coward on Thursday August 30, @08:05AM
(Score: 0) by Anonymous Coward on Thursday August 30, @08:11AM (3 children)
When, oh when will we finally see legislation to penalize this kind of criminal negligence?
I mean, sure, there's lots of things that can go wrong in IT, but *comeon*! They didn't even *have* a fucking password on a public-facing server?!? How incompetent can a single person possibly be?!?
Do you think a bank could get away with leaving the vault open and then saying "Oopsie! We may be sorry or not. And we'll just assume that nothing bad happened." ?
/insert standard disclaimer abou "somebody else's computer"/
(Score: 0) by Anonymous Coward on Thursday August 30, @08:14AM (1 child)
PS: can the non-disclosure agreement now be considered breached?
(Score: 2) by BsAtHome on Thursday August 30, @10:03AM
If the disclosure of the existence of the NDA was specified, yes, that part would probably be void. At least, if you can argue that the breach caused the NDA to fall into wrong hands.
The disclosure of other information covered under the NDA is much harder to argue. Such information is not specified in the NDA itself and you would need to prove that someone else has gathered the specific information from elsewhere (either from the breach or elsewhere). That burden is much higher.
(Score: 2) by PiMuNu on Thursday August 30, @09:07AM
It already is in Europe:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation [wikipedia.org]
I thought this was an interesting wikipedia entry also:
https://en.wikipedia.org/wiki/Criminal_negligence [wikipedia.org]
