Open source hardware vendor Adafruit has apologized after inadvertently exposing sensitive customer data through a GitHub repository.
The problem arose because valid customer data, rather than dummy information, was used to put together a training dataset that was published on a public repository.
Personal info of some Adafruit users – including names, email addresses, physical addresses, and order details – was exposed as a result of the slip-up.
No user passwords or financial information such as credit cards appeared in the dataset which dates from 2019, according to a statement from Adafruit.
“The inadvertent disclosure involved an auditing data set used for employee training becoming public, on a GitHub repository associated with an inactive former employee’s account who was learning data analysis,” the vendor explained.
“Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved.”
Adafruit added: “The data set was unintentionally made public during an employee exit procedure handoff.”
There’s no evidence to date that any of the data was misused.
Learning points
Although Adafruit has attempted to practice transparency in reporting the issue, the vendor has still come in for criticism (here, here and here) over the issue on at least two points.
Firstly, the company should have known better than to use real data to train inexperienced or even more experienced workers in data analysis. It’s easy to be wise in retrospect, but mistakes were always going to be a possibility in such a scenario.
Adafruit tacitly acknowledged criticism along these lines in its statement by saying it was “putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use”.
The vendor published its statement on the incident on Friday (March 4) without first notifying affected users. In response to criticism on this score, Adafruit updated its statement on Monday to say it had begun notifying affected parties.
Source: https://portswigger.net/daily-swig/electronics-retailer-adafruit-apologises-after-training-data-containing-real-customer-info-leaks-onto-github
