Ex-contractor published company source code and secrets onlineEffect of Source Code Leakage of a security suite on securityWhat to do in response to a source code and/or database leak by a third party hosting provider?Source code securityCode, Data and Passwd encrypted? sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SIDWays to protect source code from theftRestricting source code exposure
What word can be used to describe a bug in a movie?
Should I self-publish my novella on Amazon or try my luck getting publishers?
Why are the inside diameters of some pipe larger than the stated size?
"How do you solve a problem like Maria?"
What happen if I gain the control of aura that enchants an opponent's creature? Would the aura stay attached?
Shabbat clothing on shabbat chazon
How to help new students accept function notation
Acceptable to cut steak before searing?
How quickly could a country build a tall concrete wall around a city?
How to display a duet in lyrics?
Why are there so many Doppler Effect formulas?
Look mom! I made my own (Base 10) numeral system!
How to translate this word-play with the word "bargain" into French?
In a topological space if there exists a loop that cannot be contracted to a point does there exist a simple loop that cannot be contracted also?
Is it double speak?
Tikzcd pullback square issue
Geometric programming: Why are the constraints defined to be less than/equal to 1?
Double blind peer review when paper cites author's GitHub repo for code
Dropdowns & Chevrons for Right to Left languages
Should I take out a personal loan to pay off credit card debt?
Is The Lion King live action film made in motion capture?
Is it really ~648.69 km/s delta-v to "land" on the surface of the Sun?
Improving software when the author can see no need for improvement
Why should public servants be apolitical?
Ex-contractor published company source code and secrets online
Effect of Source Code Leakage of a security suite on securityWhat to do in response to a source code and/or database leak by a third party hosting provider?Source code securityCode, Data and Passwd encrypted? sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SIDWays to protect source code from theftRestricting source code exposure
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Just found my current company code on the plain internet.
We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.
Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.
This appear to be the personal website of a contractor who worked here 5 years ago.
Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...
Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.
It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.
What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?
data-leakage infoleak
asked 12 hours ago
user5994461user5994461
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Just found my current company code on the plain internet.
We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.
Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.
This appear to be the personal website of a contractor who worked here 5 years ago.
Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...
Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.
It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.
What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?
data-leakage infoleak
asked 12 hours ago
user5994461user5994461
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
What country are you in?
– schroeder♦
12 hours ago
5
I am in the UK. The contractor is in the US.
– user5994461
12 hours ago
18
You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.
– MechMK1
11 hours ago
"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.
– Moo
13 mins ago
add a comment |
Just found my current company code on the plain internet.
We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.
Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.
This appear to be the personal website of a contractor who worked here 5 years ago.
Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...
Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.
It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.
What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?
data-leakage infoleak
asked 12 hours ago
user5994461user5994461
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Just found my current company code on the plain internet.
We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.
Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.
This appear to be the personal website of a contractor who worked here 5 years ago.
Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...
Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.
It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.
What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?
data-leakage infoleak
data-leakage infoleak
asked 12 hours ago
user5994461user5994461
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 12 hours ago
user5994461user5994461
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 12 hours ago
user5994461user5994461
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 12 hours ago
user5994461user5994461
1913 bronze badges
asked 12 hours ago
user5994461user5994461
1913 bronze badges
1913 bronze badges
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user5994461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
What country are you in?
– schroeder♦
12 hours ago
5
I am in the UK. The contractor is in the US.
– user5994461
12 hours ago
18
You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.
– MechMK1
11 hours ago
"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.
– Moo
13 mins ago
add a comment |
What country are you in?
– schroeder♦
12 hours ago
5
I am in the UK. The contractor is in the US.
– user5994461
12 hours ago
18
You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.
– MechMK1
11 hours ago
"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.
– Moo
13 mins ago
What country are you in?
– schroeder♦
12 hours ago
What country are you in?
– schroeder♦
12 hours ago
5
5
I am in the UK. The contractor is in the US.
– user5994461
12 hours ago
I am in the UK. The contractor is in the US.
– user5994461
12 hours ago
18
18
You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.
– MechMK1
11 hours ago
You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.
– MechMK1
11 hours ago
"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.
– Moo
13 mins ago
"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.
– Moo
13 mins ago
add a comment |
4 Answers
4
active
oldest
votes
First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem not an IT problem. I say screenshots because that is unambiguous and lawyers understand screenshots.
Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO in which case I would be inclined to inform people internally.
Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware, that includes the weekend. (never go looking for incidents on a Friday...) Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.
Once you have looked at the data, you will be able to advice how many data subjects are affected if any. You will also be able to determine if the data breach affect any of your clients as you may have a contractual obligation to inform them.
Contact the hosting company. If it's something like github then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.
Contact the contractor, ideally via their contracted company and via the in-house lawyer. Demand they take down what is there.
Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.
Depending on the size of your company and your appetite to risk and your pocket size you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).
I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.
You mention keylog, if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.
Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
10
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
1
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
add a comment |
You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.
You could also contact the other companies affected.
Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
add a comment |
It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.
Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.
answered 11 hours ago
user3583489user3583489
612 bronze badges
add a comment |
For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.
answered 10 mins ago
MooMoo
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
user5994461 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215025%2fex-contractor-published-company-source-code-and-secrets-online%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem not an IT problem. I say screenshots because that is unambiguous and lawyers understand screenshots.
Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO in which case I would be inclined to inform people internally.
Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware, that includes the weekend. (never go looking for incidents on a Friday...) Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.
Once you have looked at the data, you will be able to advice how many data subjects are affected if any. You will also be able to determine if the data breach affect any of your clients as you may have a contractual obligation to inform them.
Contact the hosting company. If it's something like github then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.
Contact the contractor, ideally via their contracted company and via the in-house lawyer. Demand they take down what is there.
Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.
Depending on the size of your company and your appetite to risk and your pocket size you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).
I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.
You mention keylog, if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.
Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
10
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
1
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
add a comment |
First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem not an IT problem. I say screenshots because that is unambiguous and lawyers understand screenshots.
Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO in which case I would be inclined to inform people internally.
Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware, that includes the weekend. (never go looking for incidents on a Friday...) Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.
Once you have looked at the data, you will be able to advice how many data subjects are affected if any. You will also be able to determine if the data breach affect any of your clients as you may have a contractual obligation to inform them.
Contact the hosting company. If it's something like github then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.
Contact the contractor, ideally via their contracted company and via the in-house lawyer. Demand they take down what is there.
Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.
Depending on the size of your company and your appetite to risk and your pocket size you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).
I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.
You mention keylog, if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.
Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
10
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
1
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
add a comment |
First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem not an IT problem. I say screenshots because that is unambiguous and lawyers understand screenshots.
Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO in which case I would be inclined to inform people internally.
Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware, that includes the weekend. (never go looking for incidents on a Friday...) Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.
Once you have looked at the data, you will be able to advice how many data subjects are affected if any. You will also be able to determine if the data breach affect any of your clients as you may have a contractual obligation to inform them.
Contact the hosting company. If it's something like github then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.
Contact the contractor, ideally via their contracted company and via the in-house lawyer. Demand they take down what is there.
Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.
Depending on the size of your company and your appetite to risk and your pocket size you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).
I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.
You mention keylog, if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.
Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem not an IT problem. I say screenshots because that is unambiguous and lawyers understand screenshots.
Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO in which case I would be inclined to inform people internally.
Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware, that includes the weekend. (never go looking for incidents on a Friday...) Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.
Once you have looked at the data, you will be able to advice how many data subjects are affected if any. You will also be able to determine if the data breach affect any of your clients as you may have a contractual obligation to inform them.
Contact the hosting company. If it's something like github then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.
Contact the contractor, ideally via their contracted company and via the in-house lawyer. Demand they take down what is there.
Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.
Depending on the size of your company and your appetite to risk and your pocket size you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).
I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.
You mention keylog, if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.
Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 8 hours ago
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
answered 10 hours ago
Unicorn TearsUnicorn Tears
4625 bronze badges
4625 bronze badges
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Unicorn Tears is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
10
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
1
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
add a comment |
10
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
1
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
10
10
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.
– Conor Mancone
9 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@Conor Mancone fair point i have updated my answer as I was ambiguous about which data to screenshot.
– Unicorn Tears
8 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
@ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."
– Tin Can
2 hours ago
1
1
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
@TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"
– Conor Mancone
2 hours ago
add a comment |
You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.
You could also contact the other companies affected.
Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
add a comment |
You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.
You could also contact the other companies affected.
Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
add a comment |
You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.
You could also contact the other companies affected.
Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.
You could also contact the other companies affected.
Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
answered 12 hours ago
schroeder♦schroeder
84.4k34 gold badges188 silver badges226 bronze badges
84.4k34 gold badges188 silver badges226 bronze badges
add a comment |
add a comment |
It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.
Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.
answered 11 hours ago
user3583489user3583489
612 bronze badges
add a comment |
It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.
Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.
answered 11 hours ago
user3583489user3583489
612 bronze badges
add a comment |
It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.
Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.
answered 11 hours ago
user3583489user3583489
612 bronze badges
It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.
Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.
answered 11 hours ago
user3583489user3583489
612 bronze badges
answered 11 hours ago
user3583489user3583489
612 bronze badges
answered 11 hours ago
user3583489user3583489
612 bronze badges
answered 11 hours ago
user3583489user3583489
612 bronze badges
612 bronze badges
add a comment |
add a comment |
For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.
answered 10 mins ago
MooMoo
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.
answered 10 mins ago
MooMoo
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.
answered 10 mins ago
MooMoo
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.
answered 10 mins ago
MooMoo
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 10 mins ago
MooMoo
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 10 mins ago
MooMoo
1111 bronze badge
answered 10 mins ago
MooMoo
1111 bronze badge
1111 bronze badge
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Moo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
user5994461 is a new contributor. Be nice, and check out our Code of Conduct.
user5994461 is a new contributor. Be nice, and check out our Code of Conduct.
user5994461 is a new contributor. Be nice, and check out our Code of Conduct.
user5994461 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215025%2fex-contractor-published-company-source-code-and-secrets-online%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What country are you in?
– schroeder♦
12 hours ago
5
I am in the UK. The contractor is in the US.
– user5994461
12 hours ago
18
You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.
– MechMK1
11 hours ago
"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.
– Moo
13 mins ago