A development environment may have been mishandled.
Casio discloses breach of customer data.
Japanese electronics company Casio has disclosed a data breach of personal information belonging to customers in 149 countries.
Education web application affected.
The breach affected ClassPad, Casio's education web application, and involved “91,921 items belonging to customers, including individuals and 1,108 educational institution customers.” The exposed data included customer names, email addresses, purchasing information (the company notes that it doesn’t retain credit card data), and service usage information.
How the breach happened.
Casio stated, “On the evening of Wednesday, October 11, when the person in charge attempted to work in the development environment, it was discovered that a database failure had occurred, and the company assessed the situation. As the company continued to analyze the situation, it was additionally confirmed that, on the evening of Thursday, October 12, the personal information of some residents of countries other than Japan was accessed. At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management. Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access.”
Testing and human error.
Ray Kelly, Fellow at Synopsys Software Integrity Group, sees an object lesson in the importance of testing apps in production. “This breach highlights the importance of testing web applications in production,” Kelly wrote. “While the specific details of this attack are still unclear, it appears that a development database ended up being publicly exposed to Casio's production web site due to network misconfiguration. While conducting application security testing in pre-production is a good security practice, it does not, however, allow applications to evade security issues—such as server and network misconfigurations or problems in the supply chain via the build pipeline—once deployed to production.”
Roger Grimes, data-driven defense evangelist at KnowBe4, sees human error as the root cause. “This data breach was caused by human error which led to a network and database compromise,” he wrote. “It's important that any changes impacting cybersecurity be reviewed prior to implementation and that all security settings be periodically reviewed for accuracy. It shows the importance of change control and configuration control. These can be considered ‘boring topics’ by some, but are must-haves if an organization is expected to stay secure as it can over the long run.”