Third-party vendor leaked personal data of Palo Alto Networks’ employees
Personal data of present and former employees of security firm Palo Alto Networks was compromised in February this year when one of the firm’s third-party vendors inadvertently posted the said data online.
News about the breach of personal data of present and former employees of Palo Alto Networks was revealed by a former employee of the security firm to Business Insider under the condition of anonymity.
The anonymous former employee told the publication that the data breach impacted names, dates of birth, and social security numbers of several employees of the security firm. When contacted, Palo Alto Networks confirmed that the breach did take place and that it subsequently terminated the erring vendor’s contract.
While stating that the breach impacted the personal data of seven current and former employees, the security firm did not disclose the name of the third-party vendor that caused the breach.
“We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals.
“We take the protection of our employees’ information very seriously and have taken steps to prevent similar incidents from occurring in the future,” a spokesperson from Palo Alto Networks told Business Insider.
Data security incidents involving cyber security firms aren’t a rarity
This isn’t the first time that a leading cyber security firm has been found to be associated with a data security incident. Earlier this month, Trend Micro announced that a “malicious insider” sold personal information of approximately 68,000 of its customers to third parties after improperly accessing data stored in its systems with “clear criminal intent”.
“A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers were improperly accessed.
“Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor. We took swift action to contain the situation, including immediately disabling the unauthorized account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation,” the firm said.
A couple of years ago, cyber security consultancy firm Accenture narrowly avoided a massive data breach after it was revealed that the firm stored bundles of sensitive data containing decryption keys and customer information in four cloud servers without protecting them with passwords.
The unprotected AWS cloud servers were discovered by security research firm UpGuard who found that the servers contained sensitive Accenture data including secret APIs, authentication credentials, certificates, decryption keys, and customer information. All this data (up to 137GB) was publicly downloadable and could be accessed by anyone with web addresses for the four unsecured servers.