@JayeLTee This is why sometimes it's not enough to just disclose responsibly to an entity. Did you let the data protection regulator know that although the entity is claiming 4-day exposure window, your research found it was almost a year? And did you tell the data protect regulator that the entity is reportedly telling some departments that their data was not exposed, when you found clear proof that it was?

@lfdi

@Scary Nice to see you here! Hope to see you posting/sharing more of your research.

When you say Alltech was flagged around 11 times before closing, what exactly do you mean by that?

@douglevin They claim “no data or information was exposed or compromised during this event."

Diachenko had posted a redacted screenshot on X

(see https://twitter.com/MayhemDayOne/status/1694311872827208160/photo/1) showing that personal information was exposed, so the firm's denial of any exposure seems.... factually inaccurate, to say the least.

Similarly, their statement that "Our technical team promptly resolved this issue as soon as it came to our notice." does not explain why they didn't notice it sooner when Diachenko first reached out to them to alert them. He went public because they didn't "notice" or respond timely while personal information was reportedly exposed.

This company does not seem very credible in their claims with respect to this incident.

And they also seem to be in a lot of financial distress even prior to this incident: https://www.bbc.com/news/world-asia-india-66126095

@jeff 100% Agree with you there. #Patching is hands down, one of the top to things to mitigate risk in an org for sure. But for this talk, I need to find new and emerging threats.

User #negligence though...I think you've got something here. User negligence though #misconfiguration might very well be one of the biggest emerging threats to #infosec. Every day I hear about a new expose S3 bucket or something.

Thanks for your help!