[BreachExchange] Regus suffers staff data breach via third party

[Destry Winant]

https://www.scmagazineuk.com/regus-suffers-staff-data-breach-via-third-party/article/1671432

Serviced offices and co-working space provider Regus has suffered a
data breach that saw job performance data on more than 900 employees
of Regus owner IWG published online.

The incident occured after IWG commissioned mystery shopping business
Applause to audit sales staff performance using covert filming.
However, the results - listing names, work contact details and
performance data - were accidentally leaked through task management
website Trello. A spreadsheet containing the information could be
mined via Google search, according to the Telegraph, apparently due to
accidentally setting the Trello board to ‘public’.

The Regus files were leaked through a public Trello board - the same
issue which meant we were able to find internal government and NHS
files in 2018 https://t.co/gdOyZ2BFUb

— James Cook (@JamesLiamCook) 20 January 2020

"We are extremely concerned to learn that an external third-party
provider inadvertently published online the outcomes of an internal
training and development exercise. As our primary concern we took
immediate action and the external provider has now removed the
content," a Regus spokesman told the newspaper:

"Since being made aware of this issue, we have reiterated our InfoSec
policies with our worldwide employees, and have run an internal audit
to confirm that there are no other unapproved third-party software
tools being used in any client engagements," an Applause spokesman
told The Telegraph.

The UK’s Information Commissioner’s Office refused to comment on
whether the breach had been reported or not.

This type of third party breach might be down to human error, but the
level of business risk involved should not be underestimated, said
Mark Kedgley, CTO at New Net Technologies.

"The GDPR teeth are already biting, with over €100 m (£83 m) in fines
already issued across the EU since the 2018 legislation came into
action. In the UK, it seems the ICO are still using fines sparingly to
maximise the impact when they do, with BA made an example of last year
with the threat of a £183 m fine for their security lapse," he told SC
Media UK.

"The message to all business operating within the EU region is clear:
breaches involving the exposure of personal information will cost you
financially and in customer trust. The best advice is to review your
internal security operations against the CIS Controls to maximise
cyber defences, and always make use of encryption where possible for
personally identifiable information as a backstop, so that even in the
event of a breach, the data is unusable."

This data breach will very likely result in another EU GDPR discussion
about the importance of security by design when processing or
collecting personal information, said Thycotic security scientist
Joseph Carson.

"Many companies continue to sacrifice security for convenience when
using collaboration tools and lack a sufficient risk assessment before
storing sensitive information. Companies need to put security first as
a critical priority and assess risk before using such tools to store
personal information," he told SC Media UK.

"The importance of privileged access management is crucial here. Any
database, system or solution that stores sensitive data must be
protected first by a strong privileged access management solution that
will force authentication and authorisation and reduce the risk of
open share and public database being exposed in the future. Don’t be
the next victim and assess your security before placing personal data
and put privileged access first before using such collaboration
solutions."