In late January 2020, Regus, a co-working space and serviced offices provider suffered a data breach. The incident reportedly took place on the task management website Trello. The massive data breach saw more than 900 employee ratings and information online.
According to The Telegraph, the detailed information published online pertained to the job performance of approximately 900 Regus employees. The leak allegedly happened after the IWG, Regus owner, after doing an evaluation on the said staff. The Trello board containing the data went public, thereby being accessible by everyone.
Among the employee data compromised are names of Regus sales managers as well as their respective work addresses. In addition, performance reviews have also been made public. The Telegraph found that this personal and supposedly confidential information were searchable on Google.
In addition to these, the names of mystery shoppers, together with their email addresses, have also been leaked.
The Telegraph reports that the breach stemmed from Applause, a mysterious shopping business tasked to ‘spy’ and observe on its Regus sales staff. The mystery shoppers wore miniature cameras to record the on-goings on the stores.
Leaked documents provided comprehensive insights on the workings of the industry. The notes and vulnerable information showed that Regus took lengths to ensure sales members are staying on top of the game to compete with WeWork and other similar office space companies.
In a statement, IWG said, “Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles.”
Following the Trello blunder, IWG also said, “[They] are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.”
To remedy the data breach incident, IWG reportedly took down the content, notes BBC.
In answer to the backlash and criticism received by Trello, co-founder of the task management platform Micahel Pryor said, “Trello boards are set to private by default and must be manually changed to public by the user.”
Meanwhile, Applause also issued a statement via its spokesperson saying, “We have reiterated our policies with our worldwide employees and have run an internal audit to confirm that there are no other unapproved third-party software tools being used in any client engagements.”
In line with the huge data breach experienced by Regus, the global cybersecurity operations director at Sophos, Craig Jones, found bank details, ID numbers, and dates of birth. On another HR board on Trello, salaries, bonuses, contractual obligations were also discovered by Jones himself.