Australian staffing solutions firm OneHalf has reportedly exposed the records of hundreds of employees in a public GitHub repository.
How did the data breach occur?
iTnews reported that “hundreds of workers’ details [were] revealed, including detailed medical data”, and that UpGuard, a security software vendor, discovered the breach.
Greg Pollock, part of UpGuard’s cyber risk team, told iTnews that the data was discovered on 9 August. He tried to report this to OneHalf the next day but, despite multiple attempts to contact the firm, there was no response.
The GitHub repository was not made secure until 22 August – almost two weeks later.
Pollock found the database was unencrypted and listed hundreds of OneHalf workers, along with code for an internal application that identified several employees, most of whom are based in the Philippines.
The majority of listed employees had 30 fields of data; however, 90 fields of medical data were listed for 180 employees. This medical data included clinical history that named different illnesses of workers.
Lax security practices to blame for breach
Pollock found that the repository had been created and left unsecured since early 2018.
He blamed “lax practices” for the breach. GitHub repositories can be secured but according to iTnews, the OneHalf developers seem to have “ignored basic security practice and/or hoped for security-through-obscurity”.
Employees must be educated on information security best practice
Information security is critical for all businesses. To reduce exposure to security threats, organisations must ensure that employees have a good understanding of information security risks and compliance requirements.
Our Information Security Staff Awareness E-learning Course aims to reduce the likelihood of human error-related incidents by familiarising staff with the basics of information security and security awareness policies and procedures.