‘Carelessness’: UK, Canadian governments leave ‘sensitive data’ exposed to public on Trello website
The discovery was first made in April by cyber-security researcher Kushagra Pathak, who by using advanced Google search queries “found that a lot of individuals, companies, and organizations are putting their sensitive information on their public Trello boards,” he told RT.
Among those found to have a wealth of “internal confidential data and some credentials” exposed by Pathak, were the Canadian and UK governments, who between them had 50 Trello pages, or boards as they are known on the project management site, made publicly available by public servants.
“Information like unfixed bugs, security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards — you name it, is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them and view them without any restriction or hacking something,” he explained.
What’s more, Pathak highlighted that the mishap wasn't even due to a vulnerability on the part of Trello, which sets any board’s visibility to private by default and requires the user to set their boards to public.
One possibility is that a public servant set the boards to public by “mistake”, however, the “sake of easiness” may have been another factor, according to Pathak, who explained that by keeping the pages open, administrators could simply share the board with team members “just by sharing the URL” instead of adding them to the board.
“Adding people to the board seems to be huge task for these people but in fact it is really easy,” he concluded.
While the boards didn’t possess any military secrets or intelligence data, Pathak did confirm that there was “sensitive internal information present on these boards about departments other than defence.”
Calling the incident “carelessness and nothing more,” Bill Mew, a privacy activist and technology expert told RT that “similar errors” had been pointed out to companies like Uber in recent months.
Maintaining that the breach was “human error and nothing more,” Mew maintained that the increase in government systems “migrating to the cloud” is secure, saying they allowed for “far greater collaboration in a far more secure way.”
“But you have to avoid some of the fundamental mistakes, such as the one that was made in this case” he added.
“This is just an example of the fact that users are very often the weakest link in all of this.”
A statement by Trello said: “We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible. Additionally, visibility settings are displayed persistently on the top of every board.”
Subscribe to RT newsletter to get stories the mainstream media won’t tell you.