“All organisations should be working hard to ensure that sensitive customer and employee data remains secure and protected. This is important as, in this case, the sheer amount and quality of data exposed could make for extremely targeted social engineering attacks if it were to end up in the wrong hands. For example, being able to incorporate details such as COVID vaccination status can enable cybercriminals to create exceptionally plausible phishing attacks against the employees of the organisations affected, helping fuel future attacks.

Vendors also must take responsibility for ensuring that their solutions are secure by design, and they should not expect their users to be aware of the nuances of configuring a secure solution, particularly when they are making a solution which is very easy to use for their customers. Fortunately, in this case the data exposure was found by security researchers, who responsibly disclosed the issues to those affected, but it could easily have been cybercriminals making this discovery and walking away with millions of high-quality personal data records.

From a reputation protection standpoint, being in the spotlight for data protection transgressions and data breaches is not good for business. This story serves as a reminder for all organisations to invest appropriately in data protection and cyber defences, and wherever possible to ensure that they have their approach validated by trusted independent third parties. As well as technical controls, such as next-generation anti-malware and web access security solutions, it is critical to ensure that staff are properly trained to prevent leaks, and that their skills are regularly tested.”