OWASP Discloses Data Breach Involving Decade-Old Member Resumes

The Open Web Application Security Project (OWASP) Foundation, a non-profit organization dedicated to improving software security, has recently disclosed a data breach that occurred in late February 2024.

The incident involved a misconfiguration of OWASP's old Wiki web server, resulting in the exposure of member resumes dating back to the period between 2006 and 2014.

According to OWASP, the breach was discovered after the organization received several support requests, prompting an investigation into the matter. The exposed resumes contained sensitive personal information, including names, email addresses, phone numbers, and physical addresses.

OWASP has advised all members who provided their resumes as part of the joining process during the affected period to assume that their information was part of the breach.

The resumes were originally collected as a requirement for OWASP membership between 2006 and 2014, during which members had to demonstrate a connection to the OWASP community. However, this practice has since been discontinued, and OWASP no longer collects resumes as part of the membership process.

"OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process."

Upon discovering the breach, OWASP took immediate action to mitigate the impact and prevent further access to the exposed data.

The organization disabled directory browsing, conducted a thorough review of the web server and Media Wiki configuration for additional security issues and removed the resumes from the wiki site altogether. Furthermore, OWASP has purged the CloudFlare cache to ensure that the exposed information is no longer accessible. As an additional precautionary measure, OWASP has requested that the information be removed from the Web Archive.

Due to the age of the data, ranging from ten to 18 years old, and the fact that many of the affected individuals are no longer associated with OWASP, the organization faces challenges in contacting those impacted by the breach. Nevertheless, OWASP is making efforts to notify the public and will reach out to the email addresses discovered during their investigations.

"As many of the individuals affected by this breach are no longer with OWASP and the age of the data is between ten and 18 years old, a great deal of the personal details included in this breach are significantly out of date, making contact difficult. Regardless, we will contact the email addresses discovered during our investigations."

OWASP has emphasized that the current membership data is protected using modern cloud-based security best practices, such as two-factor authentication, minimal access, and resiliency. The organization also intentionally collects minimal information for membership to minimize the risk of potential data loss in the future.

For those who believe they may be affected by the breach, OWASP has already taken steps to remove the exposed information from the Internet. If the compromised information is outdated, no immediate action is required. However, if the exposed data is current, such as a mobile phone number, individuals are advised to exercise caution when responding to unsolicited emails, mail, or phone calls.

Recognizing the significance of this breach, particularly given OWASP's focus on cybersecurity, the organization has apologized to those affected and pledged to prevent similar incidents from occurring in the future. OWASP is currently reviewing its data retention policies and plans to implement additional security measures to bolster its defenses against potential breaches.

"We apologize to those affected by the breach and are committed to ensuring that this does not happen again. We are reviewing our data retention policies and will be implementing additional security measures to prevent future breaches."

As the importance of data security continues to grow in an increasingly digital world, organizations must remain vigilant in protecting sensitive information and promptly addressing any breaches that may occur.

The OWASP data breach serves as a reminder of the ongoing need for robust cybersecurity practices and the potential long-term impact of data exposure, even when the information is several years old.