4 ways to royally leak your company data

A few stories about how easy it is to accidentally leak sensitive information into the public domain.

If you post pics of concert tickets on Instagram without hiding the barcode, someone could get to see your favorite band instead of you. The same can happen even if you do hide the barcode, but with the wrong tool.

That said, remembering to conceal the barcode properly before bragging about tickets isn’t so difficult. It’s a totally different matter when you post a photo online without noticing a ticket or, say, a sticky note with passwords accidentally in frame. Here are several cases when people published confidential data online without realizing it.

1. Posting photos against a password backdrop

Photos and videos taken in offices and other facilities reveal passwords and secrets way more often than you might think. When taking snapshots of colleagues, few people pay attention to the background, the result can be embarrassing — or even dangerous.

Military (lack of) intelligence

In 2012, the British Royal Air Force put its foot in it, big time. Along with a photo report about Prince William, who was then serving in an RAF unit, login details for MilFLIP (military flight information publications) were made public. A username and password on a piece of paper adorned the wall behind the Duke of Cambridge.

Soon after their publication on the royal family’s official website, the images were replaced with retouched versions, and the burned credentials were changed. Whether they were pinned on the wall again is unknown.

MilFLIP login credentials as interior decoration.

MilFLIP login credentials as interior decoration. Source

The Prince William incident is hardly unique. Lesser-known military personnel also share secrets online, both with and without the help of the press. For example, one officer published a selfie on a social network against a backdrop of working displays showing secret information. The serviceman got off lightly with “re-education and training.”

On-air leak

In 2015, French television company TV5Monde fell victim to a cyberattack. Unidentified individuals hacked and defaced the organization’s website and Facebook page, and they interrupted broadcasting for several hours.

Subsequent events turned the story into a farce. A TV5Monde employee gave reporters an interview about the attack — against a backdrop of passwords for the company’s social media profiles. In the images, the text is hard to read, but enthusiasts were able to get the password for TV5Monde’s YouTube account.

Coincidentally, it was also a lesson in how not to create a password: The secret phrase in question turned out to be “lemotdepassedeyoutube,” which, translated from French, is literally “youtubepassword.” Fortunately, the company’s YouTube and other accounts emerged unscathed. However, the password backdrop story provides some food for thought regarding the initial cyberattack.

TV5Monde employee gives an interview against a backdrop of passwords.

TV5Monde employee gives an interview against a backdrop of passwords. Source

A similar incident occurred just before Super Bowl XLVIII, in 2014, when the stadium’s internal Wi-Fi login credentials snuck into the lens of a TV cameraman. To add irony to injury, the footage came from the command center responsible for event security.

Wi-Fi login credentials displayed on a screen in the stadium command center.

Wi-Fi login credentials displayed on a screen in the stadium command center. Source

2. Using fitness trackers

Devices that you use to monitor your health might very well enable someone else to monitor you, and even extract confidential data such as a credit card PIN code from your hand movements. True, the latter scenario is a bit unrealistic.

But data leaks about the location of secret facilities are, unfortunately, perfectly true-to-life. For example, the Strava fitness app, with a user base of more than 10 million, marks users’ jogging routes on a public map. It has also lit up military bases.

Although the app can be configured to hide routes from prying eyes, not all users in uniform, it seems, are versed in such technicalities.

Soldiers' movements at a US military base in Afghanistan shown by Strava heat map.

Soldiers’ movements at a US military base in Afghanistan shown by Strava heat map. Source

Citing the threat of new leaks, in 2018 the Pentagon simply banned deployed US soldiers from using fitness trackers. Sure, for those who don’t happen to spend their days at US military bases, this solution may be overkill. But all the same, we recommend taking the time to configure the privacy settings in your fitness app.

3. Broadcasting metadata

It’s very easy to forget (or not know in the first place) that secrets can sometimes be hidden in information about files, or metadata. In particular, photographs often contain the coordinates of the place where they were taken.

In 2007, US soldiers (there seems to be a pattern developing here) posted online photos of helicopters arriving at a base in Iraq. The metadata of the images contained the exact coordinates of the location. According to one version of events, the information was subsequently used in an enemy attack that cost the United States four helicopters.

4. Oversharing on social media

You can learn some secrets simply by looking at a person’s friends. For example, if salespeople from a particular region suddenly start appearing in the friend list of a company manager, competitors may conclude that the organization is searching for new markets, and try to steal a march on it.

In 2011, Computerworld journalist Sharon Machlis carried out an experiment to glean information from LinkedIn. In just 20 minutes of searching the site, she found out the number of moderators of Apple’s online forums, the setup of the company’s HR infrastructure, and more.

As the author admits, she didn’t find anything like a trade secret, but Apple prides itself on taking privacy more seriously than the average company. Meanwhile, from the job duties of an HP vice president, again listed on LinkedIn, anyone could find out what cloud services the company was working on.

How to avoid inadvertently spilling data

Employees can unwittingly share a lot about your company. To keep your secrets from becoming public knowledge, set strict rules for publishing information online, and inform all of your colleagues:

  • When taking photos and videos for posting on social media, make sure that nothing gets into the frame that shouldn’t be there. The same applies when someone photographs or films you or your office. Journalists don’t care, but you might get it in the neck if your passwords whizz around the Internet. Keep shoots to places specially designated for the purpose. If there is no such place, at least check the walls and desks beforehand.
  • Also be aware of what others can see behind you during video calls and teleconferences, even if you’re talking with colleagues or partners.
  • Hide sensitive personal and business contacts in social networks. Remember that competitors, scammers, and general ill-wishers can use them against you.
  • Before posting a file, delete its metadata. On a Windows computer, you can do that in the file properties; for smartphones, there exist special apps. Your readers don’t need to know where a photo was taken, or on whose computer a document was created.
  • Consider before bragging whether work successes might actually be trade secrets. At a minimum, it’s probably not wise to illuminate your triumphs in minute detail.

Employees should clearly understand which information is confidential, and know how to handle it. Our automated security awareness platform has a course dedicated to that topic.

Tips