Both the Canadian and UK governments have been criticized for their “carelessness” in leaving sensitive data exposed on the internet for everyone to see.
The data was saved on the cloud-based project management website Trello but was accessible on the open web; experts say the blunder was a result of “human error.”
The vulnerability was first discovered in April by Kushagra Pathak, a cyber-security researcher. He told RT that by using advanced Google search queries, he “found that a lot of individuals, companies, and organizations are putting their sensitive information on their public Trello boards.”
Of the various organizations that had mistakenly exposed their confidential data on the website, Pathak found that the Canadian and the UK governments had together 50 pages that were made publicly available by public servants.
“Information like unfixed bugs, security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards - you name it, is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them and view them without any restriction or hacking something,” Pathak remarked.
Pathak also noted that the problem was not even on Trello’s part – the platform sets all boards’ visibility settings to private by default, and it requires users to manually set the boards to public. He suggested that it may have been a mistake, or it was done for the “sake of easiness.”
Another expert also said that the governments were directly at fault for the leak.
Bill Mew, founder and owner of IT services company Mew Era Consulting, told RT that the incident was “carelessness and nothing more,” noting that similar incidents have occurred in recent months involving companies like Uber. He offered assurances that migrating systems to the cloud is a normally secure process.
“But you have to avoid some of the fundamental mistakes, such as the one that was made in this case,” he warned.
“This is just an example of the fact that users are very often the weakest link in all of this.”