Sign in / up

back to article Infoseccer: Private security biz let guard down, exposed 120K+ files

A London-based private security company allegedly left more than 120,000 files available online via an unsecured server, an infoseccer told The Register. The independent security researcher claimed they had found 124,035 exposed files back in October, totalling 46.48 GB in size and containing details such as PII, payroll data …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. wyatt

    Ah yes, "if no serious harm" has occurred then it's not reportable. Almost like as long as you get away with it, it's ok?

    10 0 Reply
    1. Headley_Grange Silver badge
      Reply Icon

      It's more of a "no serious harm yet or that we know about". This stuff could be on a disc somewhere forming a small but crucial part of sophisticated social engineering attacks on a whole bunch of poor buggers, some of whom just applied for jobs. We might never "know" the damage that this helped to cause and the tone of their press release is one of shooting the messenger pour discourager les autres. If Assist Security are not punished for this then the ICO should be hauled over the coals.

      6 0 Reply
    2. Hans 1
      Reply Icon
      Windows

      Actually, if you get in to the server, download what you want and doctor the logs, you are good to go, nothing will be reported.

      0 0 Reply
  2. Headley_Grange Silver badge

    Their "working with an ethical hacker" quote sounds a bit threatening to me.

    6 0 Reply
    1. MonkeyJuice Bronze badge
      Reply Icon

      "...we continue to engage with the ethical hacker to understand the extent of data they may have UNLAWFULLY exfiltrated and be retaining"

      This is definitely a cute gambit.

      Good luck guys.

      1 0 Reply
  3. TrevorH

    Their response appears to be the usual "kill the reporter, ignore the cause". Inspires confidence.

    12 0 Reply
    1. An_Old_Dog Silver badge
      Reply Icon
      Headmaster

      Quasi-Denying the Problem, and Tarring the Messenger

      1. Assist Security wrote that they took actions to secure the "allegedly exposed files".

      2. They tarred the messenger with implications said messenger is a bad guy/gal with their use of the phrase, "... data they [JayeLTee] may have unlawfully exfiltrated and be retaining."

      12 0 Reply
  4. Pascal Monett Silver badge
    FAIL

    Assist Security

    Demonstrating the difference between being there for the paycheck and actually being competent.

    Oh, and I love the dig about the eventual "unlawful" access of the "ethical hacker".

    You're idiots and you have been exposed. Shooting the messenger just confirms it.

    12 1 Reply
  5. Colin Bull 1
    Joke

    Not completly stupid ...

    They could have told the ethical hacker to print out the data then shred it.

    7 0 Reply
    1. Hans 1
      Reply Icon

      Re: Not completly stupid ...

      They probably already have....

      0 0 Reply
  6. Dissent Doe

    They call him "ethical" and then say "unlawful" ?

    As someone who has been reporting on leaks and breaches for 18 years now, Assist Security's statements sound like an attempt to divert from their own accountability for a leak and from the key question right now:

    Do they or don't they have access logs that show every access to the data in the last year or from whenever the data were first exposed without authentication required?

    This is simple. If they have logs, they don't need the researcher to tell them what he accessed.

    If they don't have logs, they should notify everyone because there appears to be a high risk of harm and they don't know how many thousands of people downloaded the data and are saving it to misuse.

    So, tell us all, Assist Security: do you have the logs that will show you what IP addresses accessed your data or don't you? Maybe if you send JayeLTee all your logs, he can tell you which IP addresses might be his.

    11 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    > The independent security researcher claimed they had found 124,035 exposed files back in October, totalling 46.48 GB in size and containing details such as PII

    A good thing the files contained PII rather than "personal data", otherwise they'd potentially be in trouble due to GDPR

    2 1 Reply
    1. Hans 1
      Reply Icon
      Coffee/keyboard

      > A good thing the files contained PII rather than "personal data", otherwise they'd potentially be in trouble due to GDPR

      Yes, maybe will learn what data about the Pentium II CPU was on that server ...

      1 0 Reply
  8. TimMaher Silver badge
    Facepalm

    Cloud?

    Was it lurking in some unprotected bucket? As usual?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like