Engineering Group IEEE Hit by Member Data Breach
Danish researcher says the security breach was open for at least a month.
It would be a nightmare for any association, but it’s especially traumatic for the highly technical Institute of Electrical and Electronics Engineers.
The IEEE, an international professional organization with more than 400,000 members, suffered a wide-ranging data breach that allowed technically adept users to access unsecured server logs. Worse, the logs contained nearly 100,000 unique usernames and passwords in unencrypted plain text.
The breach was discovered by Danish researcher Radu Dragusin, who reported it on his site, IEEE log.
“If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome,” he explained in his post detailing the incident.
Dragusin used the logs (with identifying information omitted) to create graphics showing the locations of the leaks, including maps and charts explaining the kinds of members affected.
In a statement provided to ComputerWorld, IEEE apologized for the incident, and says the issue has been resolved.
“We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the spokeswoman said.
On top of this, IEEE released a statement to members explaining what happened and informing them that their passwords would be reset the next time they logged in.
“None of your financial information was made accessible in this situation,” the letter, posted by Dragusin, says. “However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account.”
What sort of processes is your association using to ensure security of your member data?
(via Radu Dragusin)