Brit security guard biz exposes 1.2M files via unprotected database A UK-based physical security business let its guard down, exposing nearly 1.3 million documents via a public-facing database, according to an infosec researcher. A researcher says they stumbled upon a trove of data belonging to Amberstone Security, which included thousands of pictures of its guards as well as pictures of …
"I am investigating this with the supplier who developed and hosts the platform"
Yet another example of what I defined a couple of decades back as 'fire and forget management'. At least in the UK, the law actually requires the first party to take responsibility for third party data breaches, so it amazes me that said first parties never seem to check the security of their subcontractors' systems or activities until it's too late. How many businesses get their online offerings pen tested? Practically none in my experience.
I went to a presentation by a senior executive just after I joined my last company. He said he liked the idea of 'fire and forget', which he took as something from the Vietnam war, when a missile could be fired and it would find its own way to the target, so the pilot could just forget it. Unfortunately the Western powers lost the Vietnam war, and the most appropriate quotation from that conflict is surely the response of the senior US General when asked to assess the situation after the Viet Minh had taken the last heights surrounding Phnom Penh " We're F**ked". Consternation from the assembled journalists, who wanted something they could print. But the general insisted "We're F**ked. They can kill us any time they want."
I am not a fan of 'fire and forget management.
Typical suit thinking:
"Pen testing? Huh? No, it's OK, we don't need to test our pens, we get so many of those fancy pens free from all those business conferences that I go to… You wouldn't believe how many presentations I have to snooze sit through before we get to the free wine and nibbles part, though…"
But, yes, it should be a mandatory part of registration with the relevant Data Protection Authority for any Data Controller to demonstrate that their internet-facing systems have undergone properly audited penetration testing before commissioning any significant updates for live use. It does represent a burden and a cost to business, but so does allowing our Personal Data (and especially Special Category Data) to be stolen because of sloppy coding and poor security practices - which nowadays seem to occur somewhere at least a once a month.
Many other areas of business have all sorts of mandatory safety processes, why should IT and data management really be any different? (Just one random example, from a paperwork filing summer job that I once had: the construction industry has to send samples of concrete for analysis (and the test results kept for many years afterwards) to ensure that the concrete used was properly safe to use on the construction site (concrete not made within specification, or delivered to the site too long after its preparation, risks later failure of the structure being built. Yes, hassle and cost, but accepted as just a necessary part of doing business, and helping to ensure safety.)
Every single one of those safety checks exists because someone was seriously injured or killed.
In many cases, the business was sued out of existence - the HSE generally try to leave enough assets for the victims to get some compensation.
The problem with data security and privacy is that it's not an existential threat to the business. The fines actually levied are far too small, and the victims don't get any compensation at all.
My company has a policy that anything we put out-facing then it must be 3rd party pen-tested and will not allowed to be set live until it has been tested. We updated our SFTP server a year ago and we thought we did a goot job, pen-testing taught us a lot about our own hubris! Ha ha!
"Thank you for bringing this to our attention...I am investigating who I can transfer blame for this to."
The scary thing is not that this was exposed to the internet (although that's bad enough) but that once you are inside the system, there is zero control or auditing. Anybody with the password can, apparently, see it all. But the trousers have been pulled up so the shit remains hidden.
One of my friends was a 'night watchman' for two years. He spent all his time reading the Financial Times, and now runs a business that owns at least three pubs.
Another story about physical guarding: BT has a lot of large old buildings that used to house the enormous Strowger telephone exchanges. Anyway, BT moved out of quite a few due to the economies of electronics, but robbers used to try to steal stuff from them (copper piping a favourite, whether connected to the mains water supply or not). So BT had lots of security guards who would try to chase the miscreants away, but often failed. So BT hired some retired Gurkha soldiers as guards. Their policy was to let the thieves enter, and when they were just about to start stealing something, creep up silently behind them and shout "BOO!" very loudly into their ear. Scared the shit out of them - they never came back.
Many years ago I used to provide a service to disinfect virus-ridden computers.
My personal best for a single computer in a single company was just over 1,000 viruses.
At the offices of this company, when I discovered the state of it I told the computer's user (the MD's secretary) that it would take a while to get rid of all the viruses, and, as there would be a lot of waiting around for scans, it would be easiest if I took it back to my office to do it there. It wasn't usable as it was anyway. She said fine, so I took it and started work.
Some hours later an irate Managing Director was on the 'phone saying I must take the computer back to their offices immediately.
I took the lack of any explanation to mean that there was something on there that the MD didn't want me to see.
I took it back, still riddled with viruses, and I never heard from them again.
It's (still) a physical security company in Sutton-in-Ashfield, Nottinghamshire.
They still advertise "First Class Security...", which kinda sums it all up for me.
Struggling nowadays to find *anything* that isn't built on lies.
@sitta_europea
Doing well to still be a physical business in S-in-A.
Last time I walked around main "shop / business" zones there (Idlewells, Outam St. etc) it had a real down at heel vibe, with plenty of vacant sites.
.. Interestingly there was still a darts centric sports shop in same spot on Outram St. where I purchased my first darts as a teen, decades ago. (not sure if still the same business or whether it's changed hands over the years)
As a wildlife enthusiast, like the username
physical security business' are pony (excluding close protection as most are ex SAS)
Its probably because I thinking of G4S. They are truely awful.
Slightly related are the folks that go repair the cash machines. Knew a guy that was doing it and got told to drive miles right near end of shift . Then one he had to call back to base that "I'm at that cash machine but I can't repair it the police are here". He got told "We don't care just get in there and repair it". He replied "I can't its just been robbed so its a crime scene". Jobs worth managers, back at based micromanaging because "we have to hit targets" mainly so they get the bonus that they won't share with their team.
A day after being alerted to the exposed database, Amberstone Security revoked public access...immediately contained any risks.
A day later =/= immediately in my book. If they really took it seriously, they should have been phoning people to sort it, whatever the time of day or night and hang the costs! That's why some people have high falutin' job titles and get well paid. It's their JOB to see that things get done and take the responsibility to ensure it happens.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
