106

Just found my current company code on the plain internet.

We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.

Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.

This appear to be the personal website of a contractor who worked here 5 years ago.

Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...

Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.

It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.

What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?

I am in the UK. The contractor is in the US.

user
  • 7,670
  • 2
  • 30
  • 54
user5994461
  • 1,216
  • 3
  • 12
  • 11
  • 88
    You should absolutely get in touch with a lawyer **ASAP**. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you. –  Aug 09 '19 at 12:15
  • 4
    "Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder. – Moo Aug 09 '19 at 23:24
  • 16
    I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.) – Peter - Reinstate Monica Aug 10 '19 at 11:17
  • The contractor is not affected by GDPR if he is willing to never go to Europe again. However, a European company can file a civil suit or criminal charge in USA (on other grounds). – WGroleau Aug 10 '19 at 15:11
  • 7
    @PeterA.Schneider That's really something that should only be done *after* contacting legal. – Mast Aug 11 '19 at 07:50
  • 3
    @WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach. –  Aug 12 '19 at 10:33
  • The company is affected, at least until Brexit. Apologies for an incomplete comment. – WGroleau Aug 12 '19 at 14:16

8 Answers8

82

First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.

Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.

Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.

Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.

Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.

Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.

Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.

Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).

I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.

You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.

Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.

Michael
  • 2,391
  • 2
  • 19
  • 36
Unicorn Tears
  • 1,189
  • 4
  • 6
  • 60
    This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely **do not**, **under any circumstances**, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company. – Conor Mancone Aug 09 '19 at 13:42
  • @Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot. – Unicorn Tears Aug 09 '19 at 15:08
  • 4
    @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should." – Tin Can Aug 09 '19 at 20:54
  • 6
    @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information" – Conor Mancone Aug 09 '19 at 21:01
  • 21
    Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead. – MaxW Aug 10 '19 at 06:19
  • @ConorMancone According to the OP it "looks like an archive of some project(s), all concatenated into **one file.**" You cannot avoid downloading other people's stuff if you want to document your own. – Peter - Reinstate Monica Aug 10 '19 at 11:09
  • @PeterA.Schneider From reading the question again it's hard to tell if absolutely everything is in one file, or merely everything for the OPs company. I agree though that if it is literally all in one file, it may be hard downloading someone else's stuff. In general though there is a clear principle: absolutely avoid downloading other people's stuff unless completely unavoidable. – Conor Mancone Aug 10 '19 at 18:35
  • 4
    Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc. – jpaugh Aug 11 '19 at 06:14
25

You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.

You could also contact the other companies affected.

Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.

schroeder
  • 123,438
  • 55
  • 284
  • 319
20

It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.

Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.

user3583489
  • 321
  • 1
  • 3
16

If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.

This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.

Don't try to do anything outside of the company by yourself.

Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.

If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.

Roger Lucas
  • 161
  • 3
8

For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.

Moo
  • 542
  • 3
  • 6
  • I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online. – Peter - Reinstate Monica Aug 10 '19 at 11:13
  • 4
    @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability. – Moo Aug 10 '19 at 11:43
  • 1
    Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof. – Peter - Reinstate Monica Aug 10 '19 at 12:16
  • Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved. – mckenzm Aug 11 '19 at 05:25
  • @PeterA.Schneider FWIW, You should *never* pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff. – jpaugh Aug 11 '19 at 06:24
  • @mckenzm Are you talking (strictly) about a non-US company serving a DMCA request to a US-based business, or about serving (say) the EU equivalent of DMCA to an EU-based business? – jpaugh Aug 11 '19 at 06:27
2

I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.

Let the owner/COO/corporate counsel contact law enforcement.

US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.

Let the lawyers handle any screenshots.

Let law enforcement notify other entities that their sensitive information has leaked.

Daisuke Aramaki
  • 21
  • 3
1

This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.

Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.

Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?

By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.

You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.

You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?

Something smells bad here.

As the top answer said, go to a lawyer, but don't go in bad faith.

coolpasta
  • 111
  • 3
0

First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.

Also same time initiate the complain to take down the site and stop spread of data on internet.

These are important. First protect your business. Later you can go for legal proceedings on the person.

Mahesh V
  • 101
  • 1
  • "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords. – Thomas Weller Aug 12 '19 at 19:14