It’s been a rough year for workspace realtor WeWork. Three months ago, a Fast Company report revealed that the WiFi at the company’s co-working locations lacked basic security measures (and likely had since the first location opened in 2010). Lead investor SoftBank took control of the company last month in the midst of severe liquidity issues and projections of mass layoffs. And the hits keep coming as an exposed database containing customer contracts and financial data has been discovered, as reported by Vice’s Motherboard.
A Dubai-based researcher with cybersecurity firm spiderSilk discovered the documents by way of a public Github. The repository contained a script with URLs that referenced hundreds of PDF files stored on open and unprotected Amazon cloud storage servers. These PDFs turned out to be WeWork customer contracts and documents containing information on WeWork prospects who had expressed interest in renting office space. It appears that WeWork developers exposed these customer contracts and contact lists.
The exposed WeWork customer contracts: The extent of the damage
Most of the exposed files consisted of the contracts signed when a new WeWork tenant rents office space with the company. At minimum, these documents usually contain full names and contact information such as physical and email addresses and phone numbers. Motherboard reports that some of the contracts they viewed contained bank account information. In all cases, the files did not require authentication to download and were available to anyone with the URL.
One of the GitHub pages with public URLs also led to a server in India that contained the contact information of potential customers: names, phone numbers and email addresses primarily.
Motherboard reports that the leaks impacted a subset of WeWork customers and contacts in Europe, India and China. Some recognizable company names, such as Tenable and Palo Alto Networks, were among the exposed customer contracts.
After the story was published on November 21, WeWork issued a statement indicating that the GitHub pages in question were no longer accessible to the public and that the company had taken “steps to limit access” to the exposed data.
The bank account details in the customer contracts are the most worrying aspect, of course, but the personal and contact information could be put to use for fraud attempts such as business email compromise schemes.
Insecure cloud storage and employee negligence: Two of the most common cybersecurity vulnerabilities
Rob Gurzeev, CEO and co-founder of CyCognito, had this to say:
“Unfortunately, this kind of IT ecosystem risk isn’t unique to WeWork. In fact, IT and security teams often don’t even know if and where all of their organizations’ digital infrastructure and assets are, or whether they’re fully protected. That lack of visibility and awareness on the part of organizations leads attackers to target GitHub, along with many other cloud-based services and applications, looking for just those types of misconfigurations. This ‘awareness gap’ is called shadow risk, and it’s a major problem. Organizations need to expose their shadow risk by mapping and assessing their full attack surface.”
Improperly secured cloud storage accounts have been an endemic cybersecurity issue in recent years. Often these breaches are found by security researchers combing through large blocks of IP addresses specifically looking for unprotected accounts. While this does not guarantee that a threat actor did not encounter them first, it does reduce the likelihood that the breach resulted in sensitive data making its way out into the wild.
That’s not the case with this recent WeWork incident. A developer’s GitHub account left a clear trail to these exposed contracts and customer profiles, one that could have easily been followed by anyone. The GitHub accounts of enterprise-scale company developers are an attractive target for cybercriminals; it seems unlikely that someone else did not notice this vulnerability at some point, and it is unclear how long the breach window was open.
Gurzeev uses the term “shadow risk,” which appears to exclusively be used by CyCognito to market their cybersecurity platform. But the general sentiment of recognizing and preparing for all likely attack vectors is absolutely a sound notion. In this case, regular auditing of personal GitHub pages attached to platform development and accessible over the open internet likely would have revealed this vulnerability before anyone else could find it.
As was already demonstrated by the WiFi report several months ago, WeWork has had obvious corporate cybersecurity issues throughout the life of the company. Different locations shared a common WPA2 login password that was not changed for months (or a very weak one that would have been trivial to crack), devices were not isolated from each other on local networks, and now it appears that both the platform developers and the IT team are not following some basic best practices for securing customer data.
These contracts and customer data leaks aren’t the primary reason that WeWork is facing such dire financial struggles – as The Atlantic reports, that’s owed more to a combination of a massively overleveraged business model and the personal antics of the founder and former CEO. But they could not be landing on the company’s doorstep at a worse time.
With an average total cost in the millions of dollars and a usual per-record cost of well over $100, a breach of company confidential information that strikes at the wrong time could prove to be a death blow for a business. And while this breach of customer contracts by itself will not spell doom for WeWork in the wake of the Softbank takeover, studies have shown that the average small to medium business is likely to go out of business after an exposure of this nature.