Staff at office space provider Regus have had internal data about their work performance laid bare online following a cock-up by a company brought in for a training and development exercise.
As part of the scheme, Regus commissioned a firm called Applause to record staff at work, showing potential clients – played by researchers – around office space available to rent.
Some staff might have been applauded by Applause, others might well have needed more training, but, whatever the case, the “applause” for Applause soon stopped when it was discovered that instead of keeping this information confidential, the training firm published it on task-management website Trello. But not only did it leak performance data; it also exposed Regus employee names and addresses, as well as the personal data of Applause staff.
The Daily Telegraph claims that over 900 Regus staff have been affected; details on how many Applause employees have been caught up in the issue have not been released.
In a statement, Regus parent company IWG said: “Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles.
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.
“As our primary concern we took immediate action and the external provider has now removed the content.”
Meanwhile, Trello has insisted that all its files are set to private by default and that they must be manually changed by the user to be made publicly available. The company’s co-founder Michael Pryor added: “We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible.”
An Applause spokesman said: “Since being made aware of this issue, we have reiterated our policies with our worldwide employees and have run an internal audit to confirm that there are no other unapproved third-party software tools being used in any client engagements.”
It is understood that the Information Commissioner’s Office has yet to receive notice of the breach.
Storm clouds gather over Travelex for hack blackout
17,000 Tesco customers hit by Travelex data breach
Top tourist attractions hit by 110m data theft attacks
Half of UK firms would pay ransom to avoid GDPR fine
Over 40% of firms suffered cyber breach in past year
Firms warned over new wave of nefarious cyber attacks