On Thursday afternoon, October 24, Swedish software vendor Intentia International uploaded its financial results to its web server more than an hour before the company was scheduled to announce them officially.
Minutes later, the Reuters news service found the information there and broke the news immediately -- sending Intentia executives scrambling to release it themselves. Last Monday, Intentia filed a criminal complaint with the Swedish police, accusing Reuters of breaking into its web server. And how did Reuters hack into Intentia's financial data? By typing a URL into a web browser.
Yep, that's it. Intentia initially claimed the financial results were protected with a 40-character password. But after Reuters denied using any passwords to get the data, Intentia changed its story, saying just that the financial results were in a "private" area of the web server and there was no official link to them.
In other words, the financial results -- which by law weren't supposed to be made available on the internet before they were also released to the Swedish stock exchange and newspapers -- weren't actually protected at all. The Reuters "break-in" consisted of guessing the right file name, based on announcements of previous Intentia results.
And anyone could have made the same guess.
Okay, if you're in a corporate IT shop, you're probably rolling your eyes right about now. You know Intentia shouldn't have left confidential information unprotected. You can probably even recite the ways it could easily have been kept secure. For example, by keeping it on the web server in encrypted form, and only decrypting it at the last minute. Or by giving it a highly random, hard-to-guess file name that would only be changed to a conventional name at the last minute. Or by using file permissions to prevent the file from being accessed, and changing them only at the last minute.
Then again, the easiest way to protect that information would have been simply to not upload it to the web server until the last minute. Because if it's not on the server, it can't be on the web.
Seems obvious, doesn't it? But it wasn't obvious to the investor-relations people at Intentia -- a company that sells "e-collaboration" software and plans to get into web services, so you'd think its employees would have a handle on this newfangled internet stuff.
Nor is it obvious to plenty of other users who really do have the idea that as long as there's no official link to it, information on a web server is safe. So they trust the web server as a staging area, or a test bed, or a convenient place to put presentations and demonstrations, some of which contain proprietary or confidential information. And they put that information up long before it's required -- and leave it there long after it's no longer needed.
Want to do them -- and yourself -- a favour? Scan your company's web servers. Find the files that aren't linked to your public website. Then track down their owners and remind them that whatever they put on a web server is accessible to anyone on the internet.
Point out that if someone on the internet can guess the URL of a piece of business information, even if it's not linked, it's not safe. And that's true whether the information is financial data, marketing plans or personnel records, and whether the guesser is a reporter, an employee, an investor or a competitor.
And if they think it can't happen to them, tell them about Intentia. And remind them that your CEO probably isn't desperate enough to call the cops if proprietary information leaks out by way of unnecessary, unlinked files on your company's web servers.
But he'll probably know who's guilty.
Hayes, Computerworld US' senior news columnist, has covered IT for more than 20 years.