We tell you a few stories about how easy it can be to accidentally leak confidential information into the public domain.
If you upload photos of concert tickets on Instagram without hiding the barcode, someone might see your favourite band instead. Also, even if you hide the barcode, the same thing could happen if you use the wrong tool.
That said, it is not so difficult to remember that you have to hide the barcode well before you boast of entries. Another totally different topic is when you upload a photo and you do not realize that the entry appears, or, for example, a sticky note with your passwords in the frame. Next, we leave you with a series of situations in which someone has published confidential data online without realizing it.
Table of Contents
1. Post Photos With A Background Password
Photos and videos were taken in offices and other facilities reveal passwords and secrets much more often than you think. When we portray our colleagues, few people pay attention to the background, so the result can be embarrassing or even dangerous.
The (Lack Of) Military Intelligence
In 2012, the Royal British Air Force screwed up in a big way. Along with a photographic report on Prince William, who was then serving in an RAF unit, the access data to MilFLIP (publications with information on military flights) were released. A username and password on a piece of paper adorned the wall behind the Duke of Cambridge.
Shortly after their publication on the royal family’s official website, the images were replaced by retouched versions and the leaked credentials were modified. It is unknown if they nailed them back to the wall.
The Prince William incident is not an isolated case. Less-known military personnel have also shared secrets online, with and without the help of the press. For example, an officer posted a selfie on a social network in which work screens showing secret information appeared in the background. The military only had a moderate warning: “re-education and training.”
In 2015, the French television company TV5Monde was the victim of a cyber attack. A series of unidentified individuals attacked and defaced the organization’s website and Facebook page, disrupting the broadcast for several hours.
Subsequent events turned the story into a farce. An employee of TV5Monde gave journalists an interview about the attack, with a background decorated with the passwords of the company’s social media profiles. In the images, the text was almost illegible, but enthusiasts were able to obtain the password for the TV5Monde account on YouTube.
Coincidentally, it was also a lesson on how not to create a password: the secret phrase in question turned out to be “lemotdepassedeyoutube”, which, translated from French, is literally “the youtube password”. Fortunately, the company’s YouTube account and other accounts emerged unscathed. However, this history of passwords makes us reflect on the origin of the initial cyber attack.
A similar incident occurred just before Super Bowl XLVIII, in 2014 when the stadium’s internal Wi-Fi access credentials slipped into the lens of a television cameraman. For even more irony, the images came from the command centre responsible for event security.
2. Use Of Activity Trackers
The devices you use to monitor your health could also allow someone else to monitor you and even extract sensitive data such as a credit card code by following the movements of your hand. Although, to be honest, this last situation is a bit unreal.
But unfortunately, the data leaks about the location of secret facilities are perfectly real. For example, the Strava activity monitoring app, with a user base of over 10 million, marks users’ jogging routes on a global activity map. It has also designated military bases.
Although the application can be configured to hide the routes from prying eyes, not all users who wear uniforms seem to know about these technicalities.
Faced with the threat of further leaks, in 2018 the Pentagon banned US soldiers from using activity trackers. Obviously, for those who do not spend their days at the US military bases, this solution may be exaggerated. But, anyway, we recommend that you configure the privacy settings of the application.
3. Dissemination Of Metadata
It’s very easy to forget (or not know in the first place) that secrets can sometimes be hidden in file information or metadata. In particular, photographs often contain the coordinates of the place where they were taken.
In 2007, US soldiers. UU. ( It seems that we have a pattern) published online photos of helicopters that arrived at a base in Iraq. The image metadata contained the exact coordinates of the location. According to one version of events, the information was later used in an enemy attack that cost the United States four helicopters.
4. Share Excessively On Social Networks
You can find some secrets simply by gossiping a person’s friends. For example, if vendors in a given region suddenly start appearing on a company’s manager’s friend list, competitors may conclude that the organization is looking for new markets, and try to get ahead of their move.
In 2011, Computerworld journalist Sharon Machlis conducted an experiment to obtain information from LinkedIn. In just 20 minutes of searching the site, he discovered the number of Apple online forum moderators, setting up the RR infrastructure. H H. of the company, etc.
As the author herself admits, she found nothing as important as a trade secret, but since Apple prides itself on taking privacy so seriously, we can’t detract from its findings. On the other hand, according to the responsibilities of an HP vice president, who again appear on LinkedIn, anyone could find out what cloud services the company was working with.
How To Avoid Unintentional Data Leaks
Employees can inadvertently share a lot about your company. To prevent their secrets from being made public, set strict rules for posting information online and inform all of your colleagues of the following:
- When taking photos and videos to post on social media, make sure you don’t frame anything that shouldn’t be there. Just like when someone records you or takes a photo of you or your office. Journalists don’t care, but you can pay dearly if your passwords are on the Internet. Take the photos in places specially designated for it. If no such place exists, at least check the walls and tables beforehand.
- Also note what others can see behind you during video calls and teleconferences, be careful, even if you are talking to colleagues or partners.
- Hide confidential personal and business contacts on social media. Remember that competitors, scammers and criminals, in general, can use them against you.
- Before publishing a file, delete its metadata. On a Windows computer, you can do it in the file properties; For smartphones, there are special applications. Your readers don’t need to know where a photo was taken, or on which computer a document was created.
- Reflect before bragging about your work successes; It could be trade secrets. At the very least, it’s probably not wise to expose your triumphs in great detail.
Employees must clearly understand what information is confidential and know how to handle it. Our automated security awareness platform has a course dedicated to that topic.