Another company has ended up accidentally spilling sensitive data from business collaboration tool Trello.

According to a Daily Telegraph report, the company that put the boot to its own throat this time is office space company Regus, which posted performance ratings of 900 managers to a public Trello board.

Trello boards have three visibility settings: Private (visible only to board members and admins), Team (visible only to members of a specified team), and Public.

It seems the Regus parent company IWG carried out covert video assessments using researchers from a company called Applause posing as clients looking for office space.

The evaluations from this were gathered into a spreadsheet which was inadvertently set to ‘public’.

Because search engines index public Trello boards that meant that anyone with a browser could, in theory, see the data, which included names, addresses, performance ratings, and company training videos.

These would normally be shown only to the employee concerned as part of company assessments.

In addition to exposing Regus’s own staff, the personal details and email addresses of the external researchers working for Applause were also leaked. IWG issued a statement that appeared to shift the blame to the research company:

We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.

The data had now been taken down:

As our primary concern we took immediate action and the external provider has now removed the content.

Although the newspaper says this didn’t happen until they contacted IWG and Applause. It’s not clear how long the data was left in its public, exposed state.

Self-inflicted wound

This is not the first time that an organisation has got itself into hot water while using Trello, but the problem isn’t necessarily Trello as an application (which sets boards to Private by default) so much as the ease with which it can be used naively.

It’s the version of the ‘shadow cloud’ problem hiding in plain sight – employees are using an approved application without knowing how to use it securely.

If they’ve not had the risks explained to them – and inevitably there will always be someone who missed the training day – it’s hardly their fault.

Or perhaps they were told and simply forgot or made a mistake. Either way, the company that gives them this power is always responsible for the moral hazard.

It’s a reminder that many data breaches are nothing to do with hacking but happen because of misconfiguration. As with all cloud systems, sharing and collaboration are great buzzwords as long as the going’s good.


Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner