A California-based translation and interpreter company has confirmed a massive data exposure, which if abused could have let hackers raid the company's systems and email accounts, and ransack other sensitive corporate and financial information. What happened? Blame an unprotected backup drive spilling thousands of files onto the internet.
Security researchers at MacKeeper discovered an internet-connected backup drive with no password protection, allowing anyone to view or download the device's contents.
The drive belongs to the IT manager at IU Group (also known as Interpreters Unlimited), a collection of language-focused companies headquartered in San Diego, California. The company provides translation, interpreters, and other language services, and has a number of major clients, including Google, Boeing, and the US Postal Service, among others. The security lapse was due to a drive misconfiguration, which led to the drive streaming data to the internet. The security researchers supplied a portion of the files to ZDNet.
Some of the files were clearly documents personal to the IT manager, such as permanent residency documents, passports, Social Security data, tax records, and a handful of court records.
But the backup devices contained predominantly sensitive corporate data, which could allow a hacker near unfettered access to the company's systems, networks, and other data.
The IT manager left dozens of usernames, email addresses, and passwords for his company's infrastructure -- including its website, hosted email and domain name servers, and remote desktop apps -- stored in plain text on the drive.
The files also contained highly sensitive private data of clients, employees and new hires, which included names, addresses, phone numbers, and Social Security numbers.
The data "even had the amount of money translators earned with the company the previous year," according to the researchers who blogged about the incident. "This one document provides enough information that would allow criminals to file fake tax returns, get loans, or other forms of fraud." The researchers estimate at least 4,500 freelancers and staff may be affected.
The drive was online for "four to six months," the company's president Sayed Ali confirmed on the phone Thursday, but has since been pulled offline.
The device also appeared on Shodan, a search engine for open and unsecured databases and devices connected to the internet, potentially exposing the drive to researchers and malicious actors. It's not known if anyone else accessed or misused the data.
It's also not clear why the sensitive corporate data was stored on the backup drive in the first place. Ali said that the company is "not taking the matter lightly," but believes the incident to be isolated.
Ali confirmed that the company will bring in an independent security auditor to assess the exposure. He added that he has an "ethical duty" to inform his freelancers and staff of the leak. (California companies are also required by law to report data leaks, exposures, and breaches to the state's attorney general.)
If there's a lesson to be learned, it's a simple one: If the weakest link in the security model isn't a person, it's a rogue device. And all it takes is one to turn a company on its head.