Huddle’s ‘highly secure’ work tool exposed KPMG and BBC files

The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.

Huddle is an online tool that lets work colleagues share content and describes itself as “the global leader in secure content collaboration”. The company said it had fixed the flaw.

Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages.

More info:

Commenting on this is Bill Evans, Senior Director at One Identity:

“First, Huddle bills itself as “secure document collaboration for teams, enterprise and government organizations.”  That’s great…except the operative word there is secure.  Clearly, as demonstrated by this situation, there is a lack of security.  In Huddle’s defense, it was forthcoming regarding the bug and it has been fixed.   Moreover, it was clear that this bug was encountered incredibly infrequently.  But nonetheless, it was a bug…a security flaw…from a company that bills itself as a security-minded company, stewards of sensitive and confidential information.

Second, there’s KPMG.  The employees of that company were likely simply trying to be more productive.  In doing so, they may have posted confidential information to a cloud-based service provider.  I wonder if the use of that system was sanctioned by KPMG’s IT or Infosec departments or perhaps this was another example of “shadow IT”, where the line-of-business people took it upon themselves to find a SaaS solution to a productivity problem.

Lastly, it would be interesting to understand what type of data was on the Huddle site.  Was in European citizen data?  Would its existence violate the upcoming GDPR regulation?  Could KPMG erase specific data elements if a citizen wanted to invoke his / her “right to be forgotten?”  Perhaps we’ll never know.

The right answers here are:

  1. Penetration testing – organizations need to ensure that their applications are pen tested to ensure optimal security.  If Huddle was doing this, they are to be applauded.  But then, I might suggest it find another organization to conduct the pen testing
  2. Education – organizations need to educate users on the benefits and risks of exercising “shadow IT.”  There is a time and place for it but not in all cases.  When confidential or sensitive information is involved, engaging with the IT department is the best bet
  3. Department of YES – to that end, oftentimes the line of business decides NOT to engage with the IT or security group for fear of being told “no.”  InfoSec needs to modernize its position on security a business enabler so as to become the “department of yes.”  Generally speaking, this means a detailed risk assessment to understand the sensitivity of assets and a refocusing on the basics of identity and access management which includes securing end user and privileged access, offering multi-factor authentication whenever possible and ensuring all access and access requests are tightly governed.”