Thousands of employees that didn’t want to take their workplace problems to HR have turned to technology to air their grievances, like that provided by the anonymous social network Blind. Blind is an app-based platform that lets employees from the same company anonymously connect with co-workers to discuss problems at their workplace without fear of retribution. However, Tech Crunch is reporting that a security researcher has discovered that Blind left a server unprotected and that its promise of anonymity might not be accurate.
Blind, founded in South Korea, came to the U.S. in 2015, where it found a hungry user base among employees in Silicon Valley. In the non-tech world, the app flew under the radar until it was used by whistleblowers to expose major scandals at a handful of companies, including the rampant sexual harassment problems at rideshare giant Uber.
The company has users sign up using their business e-mail address, which they use to verify that they work for a particular company. Once signed up, a user is assigned an anonymous member ID. The company states that those e-mail addresses were only used for verification and never stored on its servers and were never directly associated with the member IDs. The data from the exposed server appears to falsify this claim.
According to Tech Crunch, the security researcher, Mossab H “found one of the company’s Kibana dashboard for its backend ElasticSearch database, which contained several tables, including private messaging data and web-based content, for both of its U.S. and Korean sites.” Upon reviewing a portion of the exposed data, Tech Crunch “found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts.”
Contrary to Blind’s assertions that the e-mail addresses used for verification are completely firewalled from a user’s ID and activity, Tech Crunch found that many of the leaked records did contain plaintext e-mail addresses. Additionally, some records “contained the user’s e-mail as unrecognized encrypted hash,” that are not readable by anyone outside the company but could potentially be used by Blind employees to connect a member ID to an individual.
Blind has since pulled the database offline, but only after Tech Crunch followed up a week after their initial contact. The company has now contacted those affected by the data breach.
This breach creates a potential nightmare for both companies and their employees. Whistleblowers can perform a vital function, particularly if a company’s culture has become toxic. And having an anonymous space, free from potential retribution can help hold companies accountable for the actions of a few bad apples when an employee doesn’t feel safe reporting to their own HR representatives or supervisors.
However, employees (ranging from entry level positions all the way through executives) providing information about the inner workings of an organization, using an unsecured platform through which they can potentially be identified creates serious internal and external cybersecurity and physical security risks.
Hopefully, as Blind CEO Sunguk Moon has stated, the issues leading to the breach have been addressed, and that no one has improperly used any of the data that was publicly available. Going forward, creating and implementing policies and mechanisms that allow your employees to safely and anonymously report bad behavior to the appropriate HR and security personnel might truly be the only way to prevent these kinds of risks to your organization.