Habitat for Humanity, the charity that builds affordable housing across the globe for the underprivileged, was found to be leaking sensitive information online, according to dailydot.com. Over 400 gigabytes of information – including detailed information on approximately 4,600 people – was left unsecured in the cloud. (More specifically, it was Habitat for Humanity Michigan).
The situation was discovered by Chris Vickery, a man who's been in the news quite a number of times in the past year. As dailydot.com notes, Vickery helped secure US voter records (twice!) and was invited to Mexico by its government after exposing a misconfigured database that exposed information on 87 million Mexicanos.
Per Vickery, Habitat was holding the exposed data on a virtual hard drive (VHD). This VHD was apparently being backed up using rsync, a protocol used for making backups. The backups had "decent…encryption" but the actual VHD was not encrypted. Vickery placed the blame with whoever was in charge of "backing up Habitat's data."
Per usual, the observation in such cases is that the original files should have been encrypted, just like the backups.
There are many aspects to security when it comes to data and the internet. Keeping passwords safe; running antivirus software to combat malware (often times, ineffectively), not using unfamiliar public Wi-Fi; the list goes on and on. Included in this list is the use of encryption to protect data.
It is rare, if not unheard of, to encounter an instance where backed up data was protected whereas the original was not. This appears to be only possible because cloud services, whatever those services may be, are heavily vested in using encryption to secure data, whereas people in general don't go as good a job, regardless of how knowledgeable they may be when it comes to computers. (Which I think is probably the case with Habitat. You don't go around using VHDs and backing up with rsync if you're uncomfortable or unknowledgeable about computer technology).
This story may be the so-called apocryphal data: statistically invalid since it represents one specific instance. But, I think this may also very well be a sign that we've reached a watershed moment where the different attempts to increase security on the internet is finally beginning to bear fruit.
The problem, though, is that internet services are only half the equation. It's like living a healthy life: sure, medical technology can do wonders, in certain cases bringing people back to life from the firm grip of death. But, people still have to do their part by eating right, exercising, getting health checkups, etc.
Likewise, data security requires computer users to do their part as well.
There is an ironic side to this story. Apparently, when contacted by Vickery regarding their exposed data, Habitat's IT provider was led to believe, at the onset, that Vickery was a hacker looking to pull off a phising scam.
Related Articles and Sites: