Sensitive Canadian, UK government info exposed from cloud project management service

In another example of how employees can defeat the best security strategies, a researcher has discovered Canadian and British government staffers misconfigured some of their web-based Trello project management software and exposed details of software bugs and security plans, as well as passwords for servers and other sensitive information.

The incidents were reported Thursday by The Intercept.

Trello allows users to create cards of lists for managing projects. The cards can also include messages for team members. Normally Trello is configured to private by default, says the service provider. However, security researcher Kushagra Pathak found

— 25 Canadian government boards exposed to the public Internet.

On those boards was a range of information including remote file access credentials; login details for the Eventbrite event-planning platform; a link to an Excel file about managing control of a department’s web applications; discussion of additional security testing in the aftermath of a recent security incident; links to a Google folder with research documents; a security working group’s board with tasks related to audits and security testing; and a bug discussion.

Pathak reported his discovery to the Canadian Cyber Incident Response Centre, which removed public access to the boards.

In a statement to The Intercept a Canadian government spokesperson said “Government of Canada employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.”

 25 public Trello boards belonging to different U.K. government departments.

These included login credentials to a U.K. government account on a domain registrar; emails that had been pasted onto the boards; a link to a snippet of backend code of a government site; login information for a server administration tool known as CPanel; a discussion of how to prevent personal information from being exposed to Google’s web analytics platform; and details about an earlier incident in which such information was exposed to the platform. 

Pathak let the U.K. National Cyber Security Centre know of the exposure.

Boards can be expanded to allow messaging and other information

Why government Trello boards would be configured to be public — other than a mistake — is an unanswered question. Pathak is quoted as speculating that it’s slightly easier to make a board public and share the URL internally than it is to add people to a Trello team of authorized viewers.

Finding publicly-exposed Trello boards through a search engine isn’t hard, he is quoted as saying. However, he admitted that in many cases, it can be very difficult to identify the organization to which a board belongs. 

The incidents show how important privacy has to be part of a written security policy, and followed up with application audits, Forrester Research security analyst Joseph Blankenship said in an interview this morning. He also agreed that one problem may be is that staff don’t see Trello as a medium for sensitive information. The key, he added, is strict policy for those who have access to the application’s privacy control.

This isn’t the first report on misconfigured Trello systems. In May security reporter Brian Krebs said he notified a number of companies, including Uber, that their Trello boards were exposed to the public Internet. In June he and a researcher with the security firm Flashpoint found more. In some cases employees had put login credentials in messages sent to other staffers.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now