The governments of Canada was exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system by misconfiguring pages on Trello, a project management website.
25 Canadian government trello boards had sensitive information, such as remote file access, or FTP, credentials, and login details for the Eventbrite event-planning platform.
The government of Canada said, Departments and agencies of the Government of Canada must apply adequate security controls to protect their users, information, and assets.
Employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.
Source: https://theintercept.com/2018/08/16/trello-board-uk-canada/
TPRM report: https://scoringcyber.rankiteo.com/company/government-of-canada
"id": "gov12181122",
"linkid": "government-of-canada",
"type": "Data Leak",
"date": "08/2018",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Canada',
'name': 'Government of Canada',
'type': 'Government'}],
'attack_vector': 'Misconfiguration',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['software bugs',
'security plans',
'server passwords',
'official internet domains',
'conference calls',
'event-planning system details']},
'description': 'The government of Canada exposed sensitive information '
'including software bugs, security plans, server passwords, '
'official internet domains, conference calls, and '
'event-planning system details due to misconfigured Trello '
'boards.',
'impact': {'data_compromised': ['software bugs',
'security plans',
'server passwords',
'official internet domains',
'conference calls',
'event-planning system details'],
'systems_affected': ['Trello boards']},
'lessons_learned': 'Importance of applying adequate security controls to '
'protect information and assets, and the need to avoid '
'using unauthorized digital tools for sensitive '
'information.',
'post_incident_analysis': {'corrective_actions': 'Remind employees of their '
'obligation not to '
'communicate or store '
'sensitive information on '
'unauthorized digital tools.',
'root_causes': 'Misconfiguration of Trello boards '
'leading to exposure of sensitive '
'information.'},
'recommendations': 'Ensure that all employees are trained on proper handling '
'of sensitive information and that only authorized tools '
'are used for communication and storage.',
'response': {'remediation_measures': ['Employees reminded of their obligation '
'not to communicate or store sensitive '
'information on Trello boards or any '
'other unauthorized digital tool or '
'service.']},
'title': 'Canadian Government Data Exposure via Trello',
'type': 'Data Exposure',
'vulnerability_exploited': 'Misconfigured third-party service'}