back to article Unsecured Azure blob exposed 500,000+ highly confidential docs from UK firm's CRM customers

A business app developer's unsecured Microsoft Azure blob left more than half a million confidential and sensitive documents belonging to its customers freely exposed to the public internet, The Register can reveal. Information contained in the blob included occupational health assessments, insurance claim documents from US …

  1. Doctor Syntax Silver badge

    No more Mr Nice Guy

    This sort of thing really needs to be subject to penalties on a scale that jeopardises the company's viability.

    We've had DPAs for decades now and the need for compliance just doesn't seem to register with manglements or at least not to the extent that it compels them to supervise the underlings and make sure stuff is secured. We need to start putting some of the worst examples where they can no longer place data subjects at risk. Seeing a few of their contemporaries go down the tubes would encourage even the most obdurate of the others.

    1. Whitter

      Re: No more Mr Nice Guy

      At the very, very, least, punishment needs to cost more than the savings from not doing it.

      1. Brewster's Angle Grinder Silver badge

        Expectation value

        It's got to be multiples of the savings. If the punishment amounts to twice the savings but there's only 1 in 10 chance of getting caught, do you bother?

      2. Ian 3

        Re: No more Mr Nice Guy

        And the penalties should apply to Probase's customers for criminally negligent supplier due diligence - or if they subcontracted due-diligence checks then also to the companies who provided them. I believe the GDPR legislation does not allow companies to just pass the buck to service providers in cases like this.

        1. aaaa

          Re: No more Mr Nice Guy

          Actually I think this comment has hit it on the head.

          Fine the director - his directors liability insurance pays, everything stays the same.

          Fine the company - the products or public liability insurance pays, everything stays the same.

          Fine the customers - they cancel contracts, and scrutinise the next provider more carefully.

          1. tip pc Silver badge

            Re: No more Mr Nice Guy

            Tax the customers because the company had an IT failure, what an interesting idea. It’d make most normal customers run and be a constant reminder of the company’s failures.

          2. DevOpsTimothyC Bronze badge

            Re: No more Mr Nice Guy

            > Fine the customers - they cancel contracts, and scrutinise the next provider more carefully.

            Perhaps you'd like to explain how as a customer I would investigate that sort of thing ?

            "I'm looking to buy your CRM (or other AAS product) which comes with various contractual obligations on both sides. I want to see all the IP that is used to build it and all of the config (except usernames)" ?

            1. Sikas Aparat

              Re: No more Mr Nice Guy

              As a customer you don't "investigate" anything:

              you get your lawyers to write waterproof contracts that say something to the effect of "Supplier indemnifies customer against any and all leaks of customer's data caused by any supplier's acts of omission or commission" or similar.

              Then when you get fined because your supplier spaffs your data all over the interwebs, you claim from them.

    2. Anonymous Coward
      Anonymous Coward

      Re: No more Mr Nice Guy

      I was thinking along exactly the same line as I clicked through to the comments. Someone or preferably some people at a suitable height in the company or companies owning the data or setting up the storage need to do a term inside and be.prohibited for a very long time and very publicly from doing anything commercial involving IT.

      1. HildyJ Silver badge
        Devil

        Re: No more Mr Nice Guy

        Putting them behind bars sounds satisfying but not doable,

        OTOH, making the CEO personally liable for any fine would be a great start.

        1. upsidedowncreature

          Re: No more Mr Nice Guy

          I upvoted you, but why is putting company directors inside not do-able? It seems like fines aren't having the required effect. The threat of doing some bird would focus the mind and shift priorities.

          1. Dan 55 Silver badge

            Re: No more Mr Nice Guy

            Fining the company isn't having the required effect. Fining the directors might do the trick.

            1. Eclectic Man Silver badge

              Re: No more Mr Nice Guy

              In theory at least, in the UK company directors can be held personally liable for any criminal activity committed on behalf of their company. However, they can be very difficult to hold to actual account as they invariably claim that they were personally unaware of the actions, believed their 'direct reports' were keeping them properly informed, and do not recall their 'direct reports' raising this issue with them (even though said 'direct reports' claim to have done) as it is nowhere to be found in the 'minutes'.

              Just look a the phone hacking scandal from News of the World / Murdoch press, or any number of cases of 'corporate manslaughter' which have failed to imprison or even convict a single Director.

              This is, however one area of law where the USA beats the UK. The directors of Enron (remember them?) did go to jail. Ernest Saunders in the UK, who rigged the share price of his company to get a takeover deal through on the cheap, did spend time in prison, but it was a low security prison, where he made medical history by being the only person ever to have recovered from dementia.

              One law for the rich.

              1. sabroni Silver badge

                Re: as they invariably claim that they were personally unaware of the actions

                So what? Legislate that they don't need to be aware to be responsible and send them down.

              2. teknopaul Silver badge

                Re: No more Mr Nice Guy

                That defence does not work for _not_ doing something. You have to prove with meeting minutes you were told otherwise.

              3. Lyndon Hills 1

                Re: No more Mr Nice Guy

                This idea of not knowing what your directs reports are up to, was part of what Sarbanes-Oxley (in the US) was designed to address. The concept is that you (as a director/manager) are responsible for your direct reports and ought to know, and also have controls in place to ensure that you do. ISTR that this was one of the results of Enron's failure, mentioned above.

          2. onemark03 Bronze badge

            Re: No more Mr Nice Guy

            Prison time and fines (of course) but the latter should not be covered by D&O insurance.

            Prison time does inded concentrate the mind but the financial penalties also need to hurt.

            And perhaps a bit more commercial law to be also covered by criminal law (commercial criminal law).

          3. tip pc Silver badge

            Re: No more Mr Nice Guy

            “ why is putting company directors inside not do-able? ”

            Directors direct, workers do.

            Typically directors will issue instructions that can be vague and open to interpretation.

            If a director issued a directive to ensure compliance, and something was found that wasn’t in compliance was it the directors fault or the manager responsible for the thing not in compliance or the team or individual who was responsible for the compliance? What if a 3rd party pen test was done that didn’t find it? What if it was secure originally and something changed after and no one noticed?

            The director can’t be expected to have expert knowledge in everything they are responsible for, that’s why they have lots of people in their directorate.

            If the director deliberately instructed something to be insecure then yes they should go to jail. If the director wasn’t woolly enough in their instructions leading to questions about their leadership then they will be the scapegoat and find hey don’t survive in that job and may not get another directorship.

            1. DevOpsTimothyC Bronze badge

              Re: No more Mr Nice Guy

              Most of the directors will also issue unrealistic timelines (to make profit sooner) and will also not approve funding on security unless is it essential to the product.

    3. Anonymous Coward
      Boffin

      Re: No more Mr Nice Guy

      Damages are limited to contractual caps.

      Otherwise you'll find no one willing to do the work.

      The bigger problem is the attempt to get E&O coverage because no one knows how to underwrite this and then there would be caps here too.

      The truth... think twice before going to the cloud and also add additional layers of security and processes to limit the exposure of data.

      This is why you need to look at Enterprise clouds and reduce the reliance on 3rd party developers who work off enterprise or store data off enterprise.

  2. Howard Sway

    Who put the Pro in Probase?

    In their own words :

    "Probase's methodology to designing and developing databases makes sure that your applications will provide the highest data integrity and security, while our open approach enables efficient and reliable integration with other existing enterprise applications. We deliver this using our proven development methods that provide our customers with transparency and certainty throughout the project."

    In some of their other buzzword bingo blurb, they also go on about "agile", which I have found over the years is often the opposite pole of sturdy security. Agile + Cloud = Avoid. The solutions offered by the plastic shed company with the same name as theirs sound more secure.

    1. Doctor Syntax Silver badge

      Re: Who put the Pro in Probase?

      They were right about their approach being open.

    2. sabroni Silver badge

      Re: Agile + Cloud = Avoid

      The problem is neither of those things.

      The problem is bad techies.

      They'd fuck up your in house stuff just as quickly, but it wouldn't be obvious to the rest of the world.

  3. GreyWolf
    Mushroom

    Listen to what Teacher says..

    ...this, children, is why we NEVER put anything into "the cloud".

    The cloud is just a fairy tale you tell when your top management are clueless.

    1. tfewster Silver badge
      Facepalm

      Re: Listen to what Teacher says..

      The Cloud enables the worst extremes of shadow IT. No longer do business buyers have to smuggle a bootleg beige box into the office (where at least it has some physical and network security). With just a company credit card the clueless can cut through any corporate governance.

      Though I'm amazed they managed to completely disable the out of the box security to make this a perfect clusterfuck.

      You wouldn't sell a knife to a kid - Maybe Azure et al should enforce a competency test, e.g.

      "The Cloud is a) A magical paradigm that anyone can use b) A way to free the business from the tyranny of experts c) Bureau computing with a new name d) Someone else's computer."

      Even if the buyer guesses a "right" answer, they've been warned ;-)

      1. FlamingDeath Silver badge

        Re: Listen to what Teacher says..

        This is Microsoft, the company which allows phishers to use its forms platform...

    2. Sandgrounder

      Re: Listen to what Teacher says..

      Teacher is a fool.

      This has nothing to do with cloud. Incompetence places data at risk regardless of who owns the box it sits on. It is naive in the extreme to think that because you can physically touch a server, it is safe. A proper security strategy has to assume that the internal network is equally as compromised as a public one.

      1. Anonymous Coward
        Anonymous Coward

        @Sandgrounder - Re: Listen to what Teacher says..

        Yeah but the cloud substantialy magnifies the damage caused by incompetence.

        1. Martin M

          Re: @Sandgrounder - Listen to what Teacher says..

          Disagree. 10 years ago I think it’s safe to say this company would have been dumping uploads in an unsecured Apache directory. Apache and the OS wouldn’t have been patched since installation. The ‘server’ would be located in an unlocked stationery cupboard with unencrypted disks, and there would be no RAID or backup regime.

          Using a cloud object store actually fixes or helps with most of these problems rather than exacerbates them, and provides some pretty powerful security constructs to those who are capable of using them. On AWS (not sure about Azure) you will be warned proactively and quite strenuously that your unsecured bucket is probably not a good idea. But ultimately, it can’t fix stupid.

      2. katrinab Silver badge
        Meh

        Re: Listen to what Teacher says..

        Sure, but this is the equivalent of walking into an office with a laptop and connecting to a network socket, except that now you can do it from anywhere in the world.

        1. Sandgrounder

          Re: Listen to what Teacher says..

          The reality is that users are located anywhere in the world and need access to their data. The days of air gapped networks and data locked on a single mainframe reachable only from inside one building are long gone.

  4. This post has been deleted by its author

    1. Doctor Syntax Silver badge

      Re: What no SAS or AD or even VNET's

      I think you lost them at "design".

  5. Pascal Monett Silver badge
    FAIL

    "Azure blob security"

    Three words that sound ridiculous together.

    How is it that multiple customers were using the same cloud storage thingy ? Did nobody think it would be better to have a storage per customer, or was that a more expensive solution ?

    Yeah, it was probably more expensive. Couple that with a dev that probably had to set security to the lowest setting that worked with all customers, and a PHB that didn't give a damn, and this is the result : a massive breach of very intimate, personally-identifiable data.

    Somebody should be jailed for this, and I'm not talking about the dev.

    1. Sandgrounder

      Re: "Azure blob security"

      No, it doesn't cost more to create multiple blobs. This is purely a design decision.

      For a multi tenanted application, it would be expected that a separate blob be used for each tenant.

      In a single tenant application a single blob for different customer's data would not be unusual, in the same way multiple customer's data would be in a single database.

  6. Version 1.0 Silver badge
    Unhappy

    Think about how this was created

    So who designed and wrote the management code? Probably a student wanting to demonstrate that they were a talented programmer, security is not a concern when you are just demonstrating this - so the company probably gave the author a small fee and let them go in the current COVID environment and started using the app. Management would be happy, "Cheap code that works great, let's start charging people" and they would have just assumed it was all good but never tested it, the author's probably got a job driving for Uber now, at least it's a paycheck.

    1. Boris the Cockroach Silver badge

      Re: Think about how this was created

      Unlikely, the lectures on DB security will still be ringing in our students ears.

      More likely a dodgey design sent to the cheapest outsource they could find, then run without any QC checks.... thus proving you get what you pay for.

      "we need to make a profit"

      "But QC"

      "get it running, we need to make a profit"

      "The design is flawed"

      "Who cares... we need a profit"

      I think a nice fine would be about £1000 per record exposed.. fat chance of that though

      1. stiine Silver badge
        Facepalm

        Re: Think about how this was created

        Ah, so you're saying that Microsoft themselves built it...right.

      2. John Brown (no body) Silver badge

        Re: Think about how this was created

        "then run without any QC checks."

        Sadly for them, they are about to find out the power of QC. They just pissed off the Trades Union of the Queens Council!!

    2. Roland6 Silver badge

      Re: Think about how this was created

      Would not be surprised if the Probase application actually authenticates with Azure, to access the blob...

      I suggest this isn't just an issue for Probase, but also for the cloud vendors themselves.

      It is clear the default configuration of cloud services is public. In some ways this is like laptops/desktops being shipped with an unencrypted HDD and setup as default as a public (read, write, execute) network share; whilst you need to login to the OS to access the HDD via the installed OS, anyone on the network can access the HDD.

      I suggest perhaps cloud vendors themselves need to change their defaults so that new instances are private by default; users have to actively change settings to make them public and then have this red flagged in their admin console...

      1. Anonymous Coward
        Anonymous Coward

        Re: Think about how this was created

        The default is not public in azure. Nothing wrong with bashing Microsoft, but at least stick to where appropriate.

        1. Roland6 Silver badge

          Re: Think about how this was created

          Thanks, wasn't bashing MS, just noting that there seems to be too many instances of unsecured ie. publicly accessible, cloud instances containing sensitive data.

          At least in this instance it would seem it was a deliberate act (by an employee of Probase) to make the instance public - that clarity will not help Probase's data protection defense...

        2. teknopaul Silver badge

          Re: Think about how this was created

          I never really understood why blob storage should ever be directly accessible from the Internet. Why not a set of trivial apis so at least noob devs have to write _some_ code to expose data on t'interwebs? even if its just a Web proxy.

          1. DevOpsTimothyC Bronze badge

            Re: Think about how this was created

            The whole point / purpose of blob storage (initially) was so it could be used as a static web page and similar. It was initially there as the backend of a CDN.

            The whole "Lets put other stuff into blob storage" was because it was cheap.

            A few years ago blob storage defaulted to accessible and you had to secure it. Yes that has changed, but older blob store still has it's initial config.

            If this has records back to 2013 it would put it quite squarely into the "blob storage is open, you need to lock it down"

  7. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      @sgp - Re: Probase director Paul Brown

      May I remind you that incompetence is not a crime.

      1. HildyJ Silver badge
        Devil

        Re: @sgp - Probase director Paul Brown

        It should be.

      2. tfewster Silver badge
        Facepalm

        Re: @sgp - Probase director Paul Brown

        IANAL, but: Companies Act 2006: A Director must exercise reasonable care, skill and diligence in his/her role.

        Yes, Directors can be held personally responsible. Which is why they get paid so well. Not that you ever hear of one being held to account.

        1. Androgynous Cupboard Silver badge

          Re: @sgp - Probase director Paul Brown

          Read that again - it equally means that they must be no less competent than your average citizen, which is a very low bar indeed.

          1. Martin Silver badge
            FAIL

            Re: @sgp - Probase director Paul Brown

            No, it says "reasonable care, skill and diligence in his/her role."

            And reasonable care depends on the skillset required. So, for example, reasonable care for an electrician or plumber is a distinctly higher than your average citizen. Similarly, if you're a director of a company, you are expected to have a certain skillset, which should be, again, higher than your average citizen.

            1. Anonymous Coward
              Anonymous Coward

              Re: @sgp - Probase director Paul Brown

              If by director skill sets you mean greed and contempt for your customers and employees, I think, on average, you may be right.

      3. upsidedowncreature

        Re: @sgp - Probase director Paul Brown

        "Incompetence is not a crime"

        Negligence can be.

      4. Martin Silver badge
        WTF?

        Re: @sgp - Probase director Paul Brown

        "...incompetence is not a crime."

        If I try to fix the electrics in my house, and as a result of my incompetence, someone is electrocuted, I have committed a crime.

        1. MJB7

          Re: @sgp - Probase director Paul Brown

          "If I try to fix the electrics in my house, and as a result of my incompetence, someone is electrocuted, I have committed a crime.": Maybe - but maybe not. Basically only if you are negligent (which is a higher bar than "incompetent").

    2. This post has been deleted by a moderator

  8. StrangerHereMyself Bronze badge

    Cloud Spoils

    This is what you get when organizations move to the Cloud and let go all their sysadmins. Some clueless individual has let the barn doors wide open and the horses have all bolted.

    1. FlamingDeath Silver badge

      Re: Cloud Spoils

      “I Like Money”

      - Frito

  9. Esme

    No, no I do not!

    "Customers trust the companies they deal with to take their security seriously. " - heavens, no! I've had too much evidence for too many years that most companies either don't give a damn abut customer data security, or if they do, are evidently clueless about , or, in one case where I worked for them, had at least one director (wiho had legal training, I might add) who did their damndest to try to circumventt the requirements of the Data Protection Ac, and was only stopped by junior staff refusing to break the law.

  10. Anonymous Coward
    Anonymous Coward

    But this time they exposed some very dangerous legal professionals. I expect their pro bono work will now be donated to themselves to destroy these clowns.

    1. TimMaher Silver badge
      Happy

      Pro bono

      Especially as that is “for the good” rather than “for free”.

      1. David 132 Silver badge
        Coat

        Re: Pro bono

        If I was suing the lead vocalist from U2, would I want my lawyer to be working pro bono?

  11. Anonymous Coward
    Anonymous Coward

    Millennial coding.

    The new version of Indian coding.

    The perpetually offended will be getting prickly right now; but those of you who actually work in IT doing real jobs know just what I mean.

    1. Anonymous Coward
      Anonymous Coward

      Re: Millennial coding.

      why code when u can low code

      cheers, a millennial

  12. adam payne

    What's that I hear? Is that the sound of the GDPR train next stop their HQ?

  13. moonpunk

    The problem is that company's like Probase have most likely always written shoddy software like this, without even so much as a nod to 'secure by design' principles. But the difference is they've got away with it in the past (albeit by the skin of their teeth) because they've hosted it in their own (or co-located) datacentres and on their own managed tin, and the only bit of security that's been saving their bacon has been some Firewall at the edge.

    Now, in the cloud they continue to write shoddy software with no regard to security and it' all laid bare. This is the problem when companies go looking for SaaS line of business applications, they often seem only interested in whether the application meets their functionality requirements, and only demand auditable security once they've had their pants pulled down like this!

  14. Anonymous Coward
    FAIL

    Moving your platform to the cloud...

    ...is like moving your wänking from your locked bathroom to the station platform, and expecting to receive a medal for so doing.

    1. Anonymous Coward
      Anonymous Coward

      Re: wänking

      Is that the UK public school pronunciation? Probase have certainly been caught with their trizers dine.

  15. Anonymous Coward
    Anonymous Coward

    Sometimes clouds create rain

    Data rain

    1. FlamingDeath Silver badge

      Re: Sometimes clouds create rain

      Storms too, even blizzards

      Any company that calls its product 365 is probably making shit up as they go along

      I bet even their own T&C’s don’t promise 365 days

  16. YetAnotherJoeBlow Bronze badge

    Responsibility

    If I exposed any data from my clients, they would rip up their contract with me - most assuredly I would loose my clearance for other contracts as well.

    Like the OP points out, there needs to be some consequences for carelessness.

    1. Cardinal

      Re: Responsibility

      @

      "Like the OP points out, there needs to be some consequences for carelessness".

      Ditto for poor spelling, especially where the error is as clear as the noose on your face :-)

  17. Anonymous Coward
    Anonymous Coward

    Probase is a company where one would go when you need a solution cheaply outsourced to Pakistan and/or India. Quality is of no concern.

    (lookup Probase at LinkedIn and you will notice nearly none of the engineers are UK based.)

    1. Anonymous Coward
      Anonymous Coward

      Glad I Googled probase as I'm putting a shed on my allotment in the new year

    2. Roland6 Silver badge

      >Probase is a company where one would go when you need a solution cheaply outsourced to Pakistan and/or India.

      You mean the lack of security was deliberate? so that somebodies inlaws could trawl the data for promising leads for their scam call centres...

  18. tip pc Silver badge

    Amazon should just enforce complex passwords or certificates for any new remote services

    Enforcing a complex password would be the first obvious thing to do.

    It’d stop drive by’s raising the complexity of access and forcing the devs to consider security.

    Next would be to enforce access certificates 1 unique cert per accessing system, no cert no access, the dev can revoke the cert for any of the systems that goes rogue.

    Yes the complexity goes up but at least they will still be around tomorrow to earn money.

  19. Anonymous Coward
    Anonymous Coward

    GDPA == JOKE

    "Cloud Security" == JOKE

    *

    "Privacy (on the Internet)" == JOKE

    *

    How much more marketing do I have to ignore?

  20. Anonymous Coward
    Anonymous Coward

    Should have used S3

  21. That 8 Bit Guy
    Joke

    Saving money on physical data couriers.

    At least the new method of safely (leaving) moving highly sensitive data is not in costly laptops or USB drives via British transport.

    That has to be some kind of progress.

  22. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021