Champion of an open, secure internet blames breach on third-party oversight
UPDATED The Internet Society (ISOC), a non-profit dedicated to keeping the internet open and secure, has blamed the inadvertent exposure of its 80,000-plus members’ personal data on a third-party vendor.
The data, which was publicly accessible on an unprotected Microsoft Azure cloud repository, comprised millions of JSON files including, among other things, full names, email and mailing addresses, and login details.
“Based on the size and nature of the exposed repository, we can assume that all of the members’ login and adjacent information was open to the public internet for an undefined period of time,” said cybersecurity firm Clario in a blog post today (February 15).
Helped by independent researcher Bob Diachenko, security researchers from Clario made the discovery and alerted the Internet Society on December 8, 2021. The repository was secured a week later, on December 15.
Diachenko told The Daily Swig that the data was probably exposed for at least one month.
“We take data security seriously, and launched an investigation as soon as we learned of the issue,” ISOC told The Daily Swig this week. “In addition, third-party forensics experts were retained to assist.
“We discovered our association management system was configured incorrectly by a vendor. This did result in member data being publicly accessible, but we have now resolved this issue.
The non-profit added: “Fortunately, we have not seen any instances of malicious access to member data as a result, and we are continuing to monitor.”
‘Making the internet stronger’
Clario said that if cybercriminals had accessed the data, it could have left victims more vulnerable to phishing attacks, identity theft, and fraud.
“The breach suggests ISOC needs to do more to enhance their security infrastructure and adhere to the best practices they champion around making the internet stronger and more secure,” said the researchers.
Founded in 1992, Virginia-based ISOC has chapters around the world and advocates for an internet that is resilient, open, and – with 37% of the world’s population having never used the internet – accessible to all.
Clario advised potentially impacted members to change their online ISOC passwords, be on guard for suspicious-looking emails or links.
This is the second incident Clario has disclosed this month in which a third-party vendor has been blamed for sensitive personal data being exposed within an unprotected Microsoft Azure blob repository.
As reported by The Daily Swig, the previous data breach involved information belonging to students and held by the British Council, which provides English language courses worldwide.
This article was updated on February 15 with comment from researcher Bob Diachenko