The production company behind ads for big brands like Unilever has buggered up leaving the data of Dove ad participants unprotected.
The goof saw Fresh Film Productions expose details like bank account and passport info in the most stupid way possible. According to Verdict, the data was left sitting out in the open on a "company server hosted online on an unsecured Amazon Web Services S3 bucket." So literally anyone could access it.
The worst instance was for 40 men involved in Dove's 'real people' advert with sensitive information like names, addresses, email, phone numbers, date of birth, and bank details for all of them readily available for whoever came looking. There were even passport scans and NI numbers on there.
After being tipped off to their bout of bloody stupid, the server was swiftly secured. The data had been vulnerable since 2018 - possibly earlier - and it's unknown if it was rifled through by cybercriminals during that time.
“There’s something deeply ironic about 40 ‘real people’ volunteering to bravely expose themselves in a Dove ad campaign only to find out that your most personal information has been exposed at the same time,” said leading independent cybersecurity expert, Graham Cluley. "What possible excuse can there be for sensitive data like this to be stored unencrypted, let alone then left on an unsecured Amazon web bucket.
"When a traditional data breach happens, users have the option to change their passwords at the very least. Good luck changing your national insurance number, your address, your passport details, and everything else that has been left bare for anyone to see – no password required.”
Cybersecurity Specialist at ESET, Jake Moore, added, "When personal data like this is exposed, it can have extremely damaging consequences for the individuals involved. This breach, particularly, has exposed such a large amount of information on each of the potential victims that the impact could be catastrophic. Like in most cases, identity theft and bank fraud are the initial concerns- but with a breach like this the possibilities for cyber criminals are nearly endless. Whilst mitigating the risks will take a significant amount of work, victims can begin to protect themselves by increasing the fraud protection on their bank accounts."
Fresh Film producer, Richard Carter-Hounslow, has said the company is "looking into this matter with urgency,” but that's not going to save it from being slapped with a big ol' fine. The Marriott Hotel paid the price for sloppy security last year over a years-old data breach in the wake of the updated General Data Protection Regulation (GDPR) rules. Although in this instance, it could be Unilever who's liable, what with Fresh Film acting as a contractor to the brand. Someone's going to rue the day, regardless. [Verdict]