The governments of the United Kingdom was exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system by misconfiguring pages on Trello, a project management website.
The U.K. government also exposed a small quantity of code for running a government website, as well as a limited number of emails.
25 public Trello boards belonging to different U.K. government departments.
These included login credentials to a U.K. government account on a domain registrar, emails that had been pasted onto the boards, a link to a snippet of backend code of a government site, and information on bugs, albeit not bugs disclosing security issues.
It also included boards with conference call details and access codes, login information for a server administration tool known as CPanel.
U.K.’s Government Digital Service guidance states that no personal or sensitive data should be published on Trello.
The service also has an Information Assurance Team to guide staff on the appropriate use of online tools.
Source: https://theintercept.com/2018/08/16/trello-board-uk-canada/
TPRM report: https://scoringcyber.rankiteo.com/company/uk-government
"id": "ukg12181122",
"linkid": "uk-government",
"type": "Data Leak",
"date": "08/2018",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United Kingdom',
'name': 'U.K. Government',
'type': 'Government'}],
'attack_vector': 'Misconfiguration',
'data_breach': {'sensitivity_of_data': 'Moderate',
'type_of_data_compromised': ['login credentials',
'emails',
'code snippets',
'bug information',
'conference call details',
'server administration tool '
'login']},
'description': 'The governments of the United Kingdom were exposed to the '
'entire internet details of software bugs and security plans, '
'as well as passwords for servers, official internet domains, '
'conference calls, and an event-planning system by '
'misconfiguring pages on Trello, a project management website.',
'impact': {'data_compromised': ['passwords',
'login credentials',
'emails',
'code snippets',
'bug information',
'conference call details',
'server administration tool login'],
'systems_affected': ['Trello boards',
'domain registrar',
'government websites',
'CPanel']},
'initial_access_broker': {'entry_point': 'Misconfigured Trello boards'},
'lessons_learned': 'Ensure that no personal or sensitive data is published on '
'Trello and provide guidance on the appropriate use of '
'online tools.',
'post_incident_analysis': {'corrective_actions': 'Guidance from the '
'Information Assurance Team '
'on the appropriate use of '
'online tools.',
'root_causes': 'Misconfiguration of Trello boards'},
'recommendations': 'Implement stricter controls on the use of public project '
'management tools and ensure that sensitive information is '
'not exposed.',
'title': 'U.K. Government Data Exposure via Trello Misconfiguration',
'type': 'Data Exposure',
'vulnerability_exploited': 'Public Trello boards'}