MacKeeper researchers recently discovered more than 400 GB of publicly accessible data online with no password protection, linked to the printing and design company PIP Printing and Marketing Services.
The data includes credit card numbers, billing information, and scanned documents relating to medical records, court cases, leading companies and celebrities — including former NFL players’ Social Security numbers and medical information, papers related to lawsuits against Hollywood studios, and thousands of confidential files from Hustler Hollywood stores (including information related to a sexual harassment lawsuit filed by a store manager).
“This is just another example of how digital our lives have become and even something as simple as printing documents can expose customers’ sensitive data,” the researchers wrote.
The researchers first discovered the data in October 2016. They tried to notify PIP Printing by email and phone, but received no response.
Michael Bluestein, PIP’s owner, told NBC News that the breach occurred when a third-party IT firm accidentally misconfigured its backup protocols.
The company recently issued a statement saying it takes the security of its clients’ material very seriously. “We acted quickly to lock down access to our database and further secure our server and encryption,” PIP stated. “We immediately strengthened our security controls. We changed all passwords, took offline all computers that may have been affected, and we brought in forensic IT experts that are in the process of determining what data was involved.”
Jeff Hill, director of product management at Prevalent, told eSecurity Planet by email that the PIP breach shows how multi-dimensional today’s cyber threat environment is. “First, not only did it involved a third party (PIP), but in reality, the vulnerability was attributable to a fourth party (the IT company responsible for PIP’s systems), illustrating the danger in today’s extended data supply chain,” he said.
“Second, the intrusion wasn’t discovered for four months, giving the attackers ample time to locate and extract the most sensitive — and in this case, salacious — data,” Hill added. “Third, the case exemplifies the importance of vendor diligence in the digital age for even what most would consider an innocuous sub-contractor, a printer.”
“Finally, driven home here is the formerly quaint notion that sensitive information equals credit card numbers and phone numbers,” Hill said. “Indeed, it’s a safe bet that the victims in the PIP breach would gladly trade a stolen credit card number that can easily be cancelled for the exposure of embarrassing details of a lawsuit deposition or sexual harassment claim.”
A recent survey of 2,000 IT professionals in the U.K., sponsored by LogRhythm, ForeScout and Gigamon, found that fully 80 percent of respondents said their confidential data may be vulnerable to attack, Infosecurity reports.
Forty-four percent acknowledged having experienced a data breach.