Dozens of servers containing Weight Watchers data were left exposed, because the company didn’t use password protect software used for managing its application containers. Numerous activity logs, passwords and private encryption keys were left exposed – you can read more about it here.
Broderick Perelli-Harris, senior director, professional services at Venafi commented below as part of our expert comments series.
Broderick Perelli-Harris, Senior Director, Professional Services at Venafi:
“Weight Watchers may be the latest high-profile firm to expose sensitive data, but it follows a familiar pattern; a cloud service was left unprotected, and data including customer passwords and private encryption keys was left out in the open.
Exposing the latter to cybercriminals could have been particularly damaging. Like many other firms, Weight Watchers relies on cloud services to power much of its business. But access to these services is secured with encryption keys that often sit outside the control of security teams. So when encryption keys are left unprotected, Weight Watchers loses control over a vital security mechanism, and opens the door for cybercriminals’ abuse to fly under the radar.
It’s easy to point the finger at Weight Watchers here, but the reality is that protecting every single encryption key that powers a cloud service is almost impossible for organisations to handle manually. Organisations typically have thousands of them across their network, and security teams rarely have oversight of all of them. Yet cybercriminals are aware of this common blind spot that many firms have, and will increasingly look to abuse it. As such, Weight Watchers should look to automate the discovery and replacement of its affected encryption keys, or cybercriminals can potentially remain within the system and continue to siphon off data to be used maliciously.”