Last organisation I worked for—not for profit, health—had around 17,500 employees. One of the cybersecurity managers had every employees details and devices on a Google Sheet private account that anyone could see if they had the share URL.
Home addresses, phone numbers, MAC addresses, IMEIs, columns of PII…
I started getting all sorts of unsolicited contact and 2-step authentication alerts “randomly” after two months there and 8 months later rEvil successfully ransomwared for $3.4M.
So when I found this sheet and no one took it seriously, I declared an internal data breach, submitted it to the fed—as you legally must in this country—and shit hit the fan for that department.
Last organisation I worked for—not for profit, health—had around 17,500 employees. One of the cybersecurity managers had every employees details and devices on a Google Sheet private account that anyone could see if they had the share URL.
Home addresses, phone numbers, MAC addresses, IMEIs, columns of PII…
I started getting all sorts of unsolicited contact and 2-step authentication alerts “randomly” after two months there and 8 months later rEvil successfully ransomwared for $3.4M.
So when I found this sheet and no one took it seriously, I declared an internal data breach, submitted it to the fed—as you legally must in this country—and shit hit the fan for that department.