Popular office app may have exposed data of thousands of employees
About 900 companies have reportedly been hit by a data breach, including major companies such as Dell, Capital One and Verizon, with employee data leaked online.
The third-party app ‘Simpli’ (formerly Charm City Concierge) was discovered to have a publicly accessible web directory exposing the login credentials of as many as 10,000 employees of the affected companies.
The information was found by researchers from Cyber News on an open web directory that stored backups of the company’s app database and website, created in January 2024. Many employees signed up for the third-party service using work email addresses, potentially leaving companies vulnerable to malicious actors targeting work-related endpoints.
Supply Chain Attacks
A number of details and potentially sensitive operational information were exposed through app orders and notes, leaving organizations vulnerable to data theft and worse.
The researchers also found email addresses, hashed passwords, and meeting details, including the purpose of the meetings and the participants.
The incident is a fresh reminder of the growing risk of supply chain attacks on businesses. While businesses have become more concerned about cybersecurity in recent years, weaker elements within a supply network have become targets for threat actors looking to target otherwise secure corporate data.
Vendors and third parties often hold sensitive corporate and customer information, making them an effective gateway for threat actors. Recent research claimed Third-party attack vectors account for nearly 30% of data breaches in recent years. With approximately 98% of organizations connected to a third party having experienced a data breach, this has become a serious security concern.
Researchers advise security managers to ensure that robust third-party risk management plans are in place to prevent and recover from security breaches.