A data leak has reportedly affected around 900 companies, including major firms such as Dell, Capital One, and Verizon, leaking employee data online.
The third party app ‘Simpli’ (formerly Charm City Concierge) was discovered to have a publicly available web directory which exposed as many as 10,000 employee credentials from the affected firms.
The information was found by researchers at Cybernews on an open web directory which stored backups of the company’s app database and website, made in January 2024. Many employees signed up for the third party service using corporate email addresses, which could leave companies vulnerable to malicious actors targeting work-related endpoints.
Supply chain attacks
A number of details and potentially sensitive operational information were exposed through app orders and notes leaving organizations vulnerable to data theft and worse.
The researchers also found email addresses, hashed passwords, and meeting details, which included the purpose of meetings and attendees.
The incident is another reminder of the increasing risk of supply chain attacks on businesses. Whilst companies have become more concerned with cybersecurity in recent years, weaker elements within a supply network have become marks for threat actors looking to target otherwise secure company data.
Suppliers and third parties often hold sensitive company and customer information, making them an effective in-road for threat actors. Recent research claimed third-party attack vectors make up almost 30% of data breaches in recent years. With roughly 98% of organizations affiliated with a third party that has experienced a data breach, this has become a serious security concern.
Researchers advise security leaders to ensure that robust third-party risk management plans are in place to prevent and recover from security breaches.