natali_mis - stock.adobe.com
Botched third-party configuration exposes Internet Society data to web
Personal data on members of The Internet Society was exposed after a supplier failed to secure its Azure storage
The personal data of up to 80,000 members of The Internet Society (ISOC) was left exposed to the internet after one of its third-party technology partners failed to correctly secure a Microsoft Azure Blob repository.
ISOC is one of the longest established internet non-profits, set up in 1992 with a mission to ensure the open development of the internet worldwide, with a particular focus on reducing the digital divide and making the web more accessible.
The exposed data was uncovered on 8 December 2021 by a team at cyber software specialist Clario, working alongside independent researcher Bob Diachenko, and reported immediately. The ISOC responded promptly and appropriately and the database was fully locked down by 15 December.
The vulnerable Blob repository contained millions of json files including the personal and login details of ISOC members. Besides this, it also included data on their activity, account IDs, linked social media accounts, joining dates, language preferences, email addresses, postal addresses including zip codes, gender, full names, and even amounts of money donated.
Its exposure potentially leaves ISOC members at risk of being attacked by cyber criminals with phishing attacks leading to identity theft and financial fraud.
“Based on the size and nature of the exposed repository, we can assume that all of the members’ login and adjacent information was open to the public internet for an undefined period of time,” wrote Clario’s team in a disclosure notice published today.
A spokesperson for the ISOC said: “We have confirmed that the association management system we use was configured incorrectly by MemberNova, which made some Internet Society member data publicly accessible. Fortunately, we have not seen any instances of malicious access to member data as a result of this issue.
“We notified all our members about this matter before the holidays and worked with MemberNova to correct the configuration issue and restore the system to normal operations. We have also just let our members know that the investigation has wrapped up.
“Thank you again for bringing this issue to our attention as your notice allowed us to quickly resolve the situation,” they said.
The supplier involved, identified as MemberNova, is a Canada-based specialist in membership platforms, providing services such as membership and community management, event registration and so on. There is no indication of malicious intent on its part.
Nevertheless, as in all such cases involving misconfigured databases, the incident serves as another warning to organisations to check and validate the cyber security postures of their third-party suppliers as a serious breach could put the organisation with which the data originated at risk of legal or regulatory consequences.
“There are challenges for ISOC if this data breach had been widely reported with loss of reputation the main issue. As the organisation works in the online world and is viewed as an upholder of standards and best practice, it could be particularly embarrassing if this had come out,” said Clario’s team.
“The breach suggests ISOC needs to do more to enhance [its] security infrastructure and adhere to the best practices [it] champions around making the internet stronger and more secure.”
Read more about third-party data breaches
- The British Council entrusted confidential data on its students to a third-party and was let down.
- Data on Labour Party members was recently compromised in an apparent cyber attack on a third-party data processor.