A data breach has reportedly affected around 900 companies, including major firms such as Dell, Capital One and Verizon, which leaked employee data online.
Third-party app 'Simpli' (formerly Charm City Concierge) was found to have a publicly available web directory that exposed up to 10,000 employee credentials from the affected companies.
The information was found by researchers in Cyber News in an open web directory that stored backups of the company’s website and app database, taken in January 2024. Many employees signed up for the third-party service using corporate email addresses, potentially leaving companies vulnerable to malicious actors targeting work-related endpoints.
Supply chain attacks
A host of potentially sensitive operational details and information were exposed through application orders and notes, leaving organizations vulnerable to data theft and worse.
Investigators also found email addresses, encrypted passwords and meeting details, including the purpose of the meetings and attendees.
The incident is another reminder of the growing risk of supply chain attacks on businesses. While companies have become more concerned about cybersecurity in recent years, weaker elements within a supply network have become targets for threat actors looking to attack otherwise protected company data.
Suppliers and third parties often hold sensitive company and customer information, making them an effective gateway for threat actors. Recent research reclaimed Third-party attack vectors account for nearly 30% of data breaches in recent years. With approximately 98% of organizations affiliated with a third party having experienced a data breach, this has become a serious security concern.
Researchers advise security leaders to ensure robust third-party risk management plans are in place to prevent and recover from security breaches.