Source URL: https://www.theregister.com/2025/01/16/private_security_biz_lets_guard/
Source: The Register
Title: Infoseccer: Private security biz let guard down, exposed 120K+ files
Feedly Summary: Assist Security’s client list includes fashion icons, critical infrastructure orgs
A London-based private security company allegedly left more than 120,000 files available online via an unsecured server, an infoseccer told The Register.…
AI Summary and Description: Yes
Summary: The text details a significant data exposure incident involving a private security company in London, where over 120,000 sensitive files were found unsecured online. This incident raises crucial concerns regarding data protection, privacy compliance, and the ethical responsibilities that organizations hold toward safeguarding personal information.
Detailed Description:
– A London-based private security firm, Assist Security, allegedly left over 120,000 files exposed on an unsecured server, compromising sensitive information.
– An independent security researcher, referred to as JayeLTee, discovered 124,035 exposed files totaling 46.48 GB in size, containing personally identifiable information (PII), payroll data, job application forms, and Security Industry Authority (SIA) cards.
– Key findings include:
– The data revealed details of individuals throughout the hiring process, including rejected and resigned applicants, which amplifies the risk of identity theft and privacy violations.
– Sensitive documents included personal data and national insurance numbers, invoices dating back to 2005, and employee induction reports.
– There was no indication that the vetting files related to employees were encrypted, increasing potential risks upon exposure to malicious actors.
– JayeLTee expressed skepticism regarding Assist Security’s claims of checking server logs, fueling concerns about the company’s incident response procedures.
– Assist Security communicated their corrective actions following the report but did not provide evidence to fully address claims made by the researcher regarding the unprotected data.
– Importantly, the Information Commissioner’s Office (ICO) has yet to receive a formal report from Assist Security regarding this incident. Although the exposed data qualifies as a breach under ICO’s guidelines, the company argues that they did not need to alert the ICO if internal checks show no malicious access to the files.
Key Implications:
– This incident underscores the importance of robust data protection mechanisms, especially for entities handling sensitive personal information.
– Organizations must ensure that data, particularly PII, is encrypted and securely managed, adhering to compliance requirements.
– The incident illustrates the necessity of training for staff on the importance of data security and potential risks associated with unsecured storage.
– A strong incident response plan, including the timely reporting of breaches to regulatory bodies, is critical in maintaining stakeholder trust and compliance with data protection laws.