Exploit: Accidental Data Sharing (Human Error)
Southern Water: Utility Company
Risk to Small Business: 2.201 = Severe
A user at the utility company’s website discovered some Sharepoint settings shenanigans. Southern Water had set up Sharepoint to host customer information as a “your account” style section of their website exposed URLs that could be tweaked to view other people’s account information. Customers who knew how to tweak Sharepoint were able to quickly access the full name, address, customer account number, payment reference number, bill and payment dates, account balance, payment amount, bill amount, meter details, and meter readings of other customers.
Individual Risk: 2.810 = Moderate
No financial data was exposed, and the incident only affected general publically available data accessed through the Sharepoint site by someone who already had a system ID.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Controlling who has access to what, and who needs to have access to what, can be a time-consuming process for IT support, but failing to secure information correctly can have dangerous consequences including an expensive data breach.
Source:
https://www.theregister.com/2020/08/28/southern_water_sharepoint_shenanigans/?&web_view=true