Detailed information about the job performance of more than 900 Regus employees was accidentally published online after the co-working space provider conducted a review of its sales staff.
Regus owner IWG commissioned the mystery shopping business, Applause, to audit its sales staff through covert filming using "spy pens" fitted with miniature cameras. The employee performance data was compiled into a spreadsheet listing the names and work addresses of hundreds of Regus sales managers along with reviews of their performance.
However, the employee performance data was published to a page on the task management site Trello, which had been made public, allowing the files to leak into Google search results. According to the Telegraph, this was apparently due to accidentally setting the Trello board to 'public'.
After learning of the incident, Regus took immediate action and removed the content from the external provider's site. A Regus spokesman claims that the company has "run an internal audit to confirm that there are no other unapproved third-party software tools being used in any client engagements."
NNT CTO Mark Kedgley recently told SC Media UK, "The GDPR teeth are already biting, with over €100 m (£83 m) in fines already issued across the EU since the 2018 legislation came into action. In the UK, it seems the ICO are still using fines sparingly to maximize the impact when they do, with BA made an example of last year with the threat of a £183 m fine for their security lapse."
"The message to all businesses operating within the EU region is clear: breaches involving the exposure of personal information will cost you financially and in customer trust. The best advice is to review your internal security operations against the CIS Controls to maximize cyber defenses, and always make use of encryption where possible for personally identifiable information as a backstop, so that even in the event of a breach, the data is unusable."
Studies show that the majority of security incidents occur when the first six CIS Controls are lacking or are poorly implemented. That's why we've teamed up with the Center for Internet Security (CIS) to host a webinar detailing the first six CIS Controls - also called the Basic CIS Controls.
Join us on Thursday, February 20 for our webinar and learn:
- What are the first six CIS Controls?
- What are the CIS Controls implementation groups and which group does your organization fit in?
- Where to start and what shortcuts to take?
Read the full article here Regus suffers staff data breach via third party