During the pandemic and the forced adoption of teleworking, some bosses forced their employees to install monitoring system in their employees’ teams to control that they really work during their day.
As published Tom’s Guidea cybersecurity team has notified that millions of screenshots of one of these monitoring systems are accessible to anyone, compromising the safety of the companies that hired this service.
The distrust of the bosses. The media specialized in cybersecurity Cybernews echoed what they describe as one of the largest security leaks of the Workcomposer company, which offered a monitoring service in more than 200,000 corporate computers in companies around the world.
The monitoring service offered by Workcomposer consisted of automatically making periodic captures of the remote equipment screen to confirm that the employee was doing their assigned tasks, instead of using his day to attend to his personal affairs. These monitoring systems were the focus of an ethical and legal debate, but if the computer was from the company, it had the right to install the software that would believe it is appropriate.
The day captures. All these monitored equipment generated dozens of millions of periodic screenshots throughout the day. These captures recorded all kinds of confidential information of companies, which employees used daily: emails, internal documents, accounting data, etc. The employee was not aware of at what time the monitoring application was taking a capture of his screen, so he could not have avoided the capture of those compromised data.
In addition to all this data, the screenshots would have captured credentials of access to other companies of the companies if the screenshot occurred just at the time when the employee was accessing the service, which would mean a serious risk to their safety.
A millionaire gap. According to Cybernews, the security gap could affect about 21 million captures stored on a Amazon S3 server that did not have adequate access security measures. That allows anyone to make the appropriate search to access the entire catalog of captures that is stored there.
This has left all companies that have used the remote monitoring service of Workcomposer in a vulnerability situation in the face of identity supplant attacks due to the theft of credentials and internal data escape. In addition, since it is not an attack on a certain service, the affected companies do not know the scope of the filtration, which will force them to review all the credentials and sensitive information that has captured the monitoring system.
The RGPD knocks on your door. On the other hand, the massive filtration of these catches will put both affected companies and Workcomposer in a complicated situation. From WorldOfSoftware we have tried to obtain statements from the company that manages this application, but we have not obtained an answer.
The General Data Protection Regulation (RGPD) in force in Europe, and some US laws such as California Consumer Privacy Act (CCPA), establish that the company that captures this data is responsible for its custody and protection. The negligence of hosting millions of images with confidential information on a server without minimal security can cost it millionaire sanctions.
In WorldOfSoftware | Companies that have eliminated teleworking are facing a big problem: they take longer to cover their vacancies
Image | Unspash (Boitumelo)
