A high profile literary publisher exposed thousands of files of sensitive client and company data, including unpublished books, royalty payments, invoice and contract details. The data was left exposed by UK-based Bell Lomax Moreton, which reportedly represents various celebrities, former politicians as well as award-winning authors including Michael Dobbs, whose novel "House of Cards" was later turned into a hit Netflix show.
The data was left exposed via an unprotected and publicly accessible internet-connected backup drive, which allowed potentially anyone to view the firm's most sensitive files, according to Kromtech security researchers. The backup drive's Rsync protocol was "misconfigured," in other words, it had no username or password. This left the data exposed to virtually everyone.
Kromtech researcher Bob Diachenko said in a blog that the security firm's researchers were able to access "thousands of documents, including Bell Lomax Agency's Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties and client details for 2014-2015."
It is still unclear as to how long the data was left exposed. ZDNet reported that some of the files exposed date back to 1999 and earlier. Moreover, Kromtech researchers also reportedly found the publishing firm's financial records, ledger books and email archives of senior staff and executives, dating back to several years.
The backup drive also contained information on clients' contracts, payment data, royalty records banking information, as well as copies of books in various editions and translations. The data could have potentially been stolen and leaked by hackers, since it was exposed on a publicly accessible drive.
Fortunately, the backup drive has since been secured. IBTimes UK reached out to Bell Lomax Moreton for further clarity, however, the firm has refused to comment further on the incident.
"Unlike the scripted drama in The House of Cards, the danger online is real. Misconfigured backups are a serious issue could severely damage a company's business, customers, employees or partners. If you or your company use an Rsync protocol, take the time to review the security configuration," said Alex Kernishniuk, VP of strategic alliances at Kromtech.