At a glance.
- Murata Manufacturing data breach.
- Accellion FTA breach propagates through the supply chain.
- Brooklyn Tech students find things on their school's Google Drive that shouldn't have been there.
Murata apologizes for a subcontractor's downloading of business documents.
An interesting case of third-party risk emerged in Japan this week. ZDNet reports that Japanese electronic component maker Murata Manufacturing has apologized to its business partners for an incident on June 28th when a subcontractor's employee downloaded a project file and "uploaded it to the personal account of an external cloud service in China." The data in the file included such partner information as "company name, address, associated names, phone numbers, email addresses and bank account numbers." Also improperly accessed were "41,00 documents about employees were in the leak as well, similarly containing names, addresses and bank account numbers." Murata is embarrassed by the incident, but believes that no one other than the one subcontractor employee accessed the files.
The Accellion breach continues to propagate through downstream IT systems.
Tech Target has a summary of how the exploitation of Accellion's File Transfer Appliance (FTA) in December of 2020 continues to ripple through US enterprise IT systems. The most recent wave of breaches have occurred through Guidehouse Inc., a consultancy and managed service provider with customers in a range of sectors, including healthcare and financial services.
More background to the New York City schools data breach.
More details have emerged in the case of the New York City public schools data breach. Bklyner describes how the breach was discovered: "tech savvy" high school students at Brooklyn Tech in January stumbled across misorganization in the schools' Google Drive. As they were submitting homework during a period of remote learning, they found that documents that ought not to have been in that segment of the drive were not only present, but openly accessible as well. "Those documents included second graders’ classwork, a parent-teacher conference sign-up sheet, and college recommendation letters." The students did the right thing and asked for a meeting with "a senior member of the school staff," presenting their findings with supporting PowerPoint and plenty of detail. “At that point [after the meeting] we thought the issue was going to get taken care of," one of the students said. "We kind of forgot about it.”
When they remembered it, in March, and checked again to see if the privacy problem had been resolved, they found instead that it had actually become worse. This time they found a school "payroll document that contained teacher pay information, along with social security numbers, phone numbers and addresses." On March 18th the students notified the city's education department, which responded quickly to their emailed report.
The education department said last week that some student and faculty data had been exposed in a Google Drive, but wouldn't confirm that this was the same incident the Brooklyn Tech students reported earlier this year.