Has Your Data Been Exposed

This most challenging and unprecedented year has brought many specific data security challenges to organisations and their Cyber Security teams, around the world. COVID and the sudden digital transformations needed to engage with customers, supply chains and remote working staff have severely stretched organisations cybersecurity resources. The sheer scale of the immediate pandemic challenge may be responsible in some cases for overlooking some data risks and leakages that predate or are unrelated to this current crisis.

One such example may be platforms like GitHub. Nightfall DLP, a data loss prevention platform recently published an article highlighting five significant examples of such GitHub oversights. There are lessons to be learned about protecting your code and security credentails.

1. Rogers Communication, Canada

Rogers Communications, a major Canadian telecom company recently discovered two open accounts on GitHub with source code, internal user names, keys and passwords. The data may have been outdated and may or may not have exposed customer information but never the less represented a very real risk.

2. Amazon Web Services

Early in the year, a DevOps Cloud Engineer working for AWS exposed a gigabyte of data to a GitHub repository. It was reported by Gizmodo that to the good fortune of Amazon Web Services this was quickly spotted by researchers at UpGuard who notified AWS. It was determined that confidential information and AWS and RSA key pairs were in the data which highlights the danger of an individual acting inadvertently or maliciously can pose.

3. Data Leakage From Dozens of Large Corps

In July 2020 a developer by the name of Tillie Kottmann was managing a repository of leaked code he had gathered from companies like Adobe, GE Appliances, Roblox, Motorola, Qualcomm, Nintendo plus many more. The data varied and in some case may have posed little or no threat but it indicates the scale of this potential problem, this incident reported by Bleeping Computer revealed data on 50 companies.

4. Hard-Coded Security Credentials

The summer of this year saw nine US healthcare organisations exposed for leaking the PHI (Protected Health Information) of up to 200,000 patients. Improper practices such as hard coding login credential within code were uncovered by a Dutch security researcher called Jelle Ursem it was reported by Nightfall.

5. Data of 16 Million COVID-19 Patients Revealed

Health information of 16 million Brazilians was revealed on GtHub when an employee of Albert Einstein Hospital in the city of Sao Paolo uploaded a spreadsheet containing passwords and credentials to two databases, E-SUS-VE and Sivep-Gripe containing the government COVID data including that of president Jair Bolsonaro. A GitHub user spotted this and reported it to Estado newspaper it was reported in ZDNet last month.

The Lessons to be Learned

There are important lessons for Cyber Security teams and leaders to be learned from these high profile GitHub leaks of 2020. 

Firstly organisations need to know when code is outside their own environment. Employees may have perfectly good reasons but everyone needs to know and understand visibility in the activities and the security or authorisation procedure for the use of facilities like GitHub or other repositories.

Secondly bear in mind that even old or obsolete code can pose real cybersecurity threats by providing an attacker useful information about architecture and languages of your systems. This information in the wrong hands could assist and make a successful malicious attack more probable.

Thirdly poor practices like hard coding credentials or other weak security practices need to be addressed and organisations implement and enforce higher standards across their teams. Tools like Nightfall can assist with scanning and giving visibility to commits for secrets and credentials and even offer GitHub specific tools.

Nightfall.ai for more information.

If you are looking for your next role in cybersecurity or looking to build or expand your corporate data security team please visit our Cyber Security recruitment page.