Subscribe for our latest security news and tips and get your 15% discount!
Translation company leaks personal data of employees, customers, and many other private documents online
MacKeeper Security Research Center discovered a network attached storage (NAS) device that was not properly configured. Moreover, there were at least two IPs associated with two identical NAS belonging to an IT manager of the company. It was identified that backups were part of company named Interpreters Unlimited and were publically accessible, without a password or encryption in place.
The device contained the private information (our estimation is 4,500+ records) of clients, employees, salary data, social security numbers, emails, and much more sensitive data in plain text as part of Excel spreadsheets and .txt files.
Special folders included all server access details, all email logins, passwords for almost every employees.
The website’s technical admin is listed in the Whois registration and there were a trove of personal documents stored on the device that belong to IT manager.
As a general rule Social Security Numbers should never be stored in a plain text document and when combined with names, addresses, emails and other identifiable information it provides cyber criminals with all of the information they need.
The data discovered by Mackeeper researchers even had the amount of money translators earned with the company the previous year. This one document provides enough information that would allow criminals to file fake tax returns, get loans, or other forms of fraud.
Interpreters Unlimited offer translation services such as onsite interpretation, video, phone, and a range of other services. According to their website “We act as a “matchmaker,” finding you the best-fit language service that suits your needs”. Their client profile includes companies like Google, Boeing, United States Postal Service, and others.
We have been working on this case together with Zack Whittaker from ZDNet, who was able to contact the company's president and alert him on the incident (our initial notifications sent via email to the company's IT manager were left unnoticed). NAS device has been isolated. The company is seeking counsel and a third-party security audit company. But the company will be informing people — the translators — of the exposure.
The data was streaming for "four to six months," he said.
You can read Zack's story at ZDNet.
For more information or media requests please contact firstname.lastname@example.org