[BreachExchange] Online printing site Doxzoo exposed thousands of customer files
Destry Winant
destry at riskbasedsecurity.com
Thu Mar 26 10:18:14 EDT 2020
https://finance.yahoo.com/news/online-printing-doxzoo-exposed-thousands-153048184.html
Doxzoo proudly says on its website that your "documents are in safe
hands." But for some time, that wasn't true.
The U.K. printing company left its customer files on a cloud storage
bucket, hosted on Amazon Web Services, without a password. Anyone who
knew the easy-to-guess bucket name could access the massive trove of
customer files. By the time the company secured the bucket, it
contained more than 250,000 customer-uploaded files.
When reached by email, Paul Bennett, one of the company's directors,
confirmed the exposure.
"The data we store [with Amazon] is solely the files we use for
printing their documents and we have a clear privacy policy on our
website to cover how this data is held," said Bennett.
"We frequently review processes and technical architectures to ensure
we adhere to current best practices. We are committed to providing the
best possible service to our customers and take the security of their
personal data very seriously," he added. "We have already sought
guidance from the ICO on our data security and the precautions we
take."
But a spokesperson for the U.K.'s Information Commissioner's Office
(ICO) said it has not received a notification of a security lapse from
Doxzoo.
“People have the right to expect that organizations will handle their
personal information securely and responsibly," the ICO spokesperson
said. "Where that doesn't happen, people can come to the ICO and we
will look into the details. When a data incident occurs, we would
expect an organization to consider whether it is appropriate to
contact the people affected, and to consider whether there are steps
that can be taken to protect them from any potential adverse effects."
Companies that fall afoul of European data protection rules can be
fined up to 4% of their annual turnover.
At the time of writing, Doxzoo has made no mention on either its blog
or its social platforms about the security lapse.
Doxzoo finds itself in similar company to Rallyhood, a Sprint
contractor, the Democratic Senatorial Campaign Committee, FormGet,
Mixcloud and Samsung, all of which have in the past year left
sensitive data online by mistake.
More information about the BreachExchange
mailing list