Job performance details about more than 900 employees of a major office-space provider have been published online by accident after a staff review.
Sales staff at Regus had been recorded showing researchers posing as clients around office space available to rent.
Information about the employees was later published on Trello, a task-management website, and a spreadsheet with names, address and job performance data was found via Google by the Telegraph newspaper.
Such a breach as this is so easily avoidable and like with many incidents, was simply caused by human error rather than anything malicious. Where companies now rely on so many digital services to do all aspects of their work, they need to make sure that they extend identity management and security best practices to the third party agencies that they work with. Having a basic level of security practices regardless of a company’s function will start to be expected by customers wanting to do business and without offering those assurances, businesses could start to suffer if found to be lacking in security awareness and process. Regus and its supplier were quick to respond once discovered, which we can take as a demonstration of how seriously organisations are taking data breaches these days.
This exposure is yet another example of the fact that when you entrust your personal data to a company, you\’re also entrusting it to all the third-party providers and vendors that company contracts with. In this case, Applause\’s provider didn\’t seem to make much of an effort to secure anything. According to reports, there was no encryption, no access control, and no operational security used to keep these performance reviews out of the wrong hands.