[German]Palo Alto Networks may have had a data privacy incident. A service provider is responsible for ensuring that employees' personal data was publicly accessible.
I became aware of this data protection incident via the following tweet by Aryeh Goretsky (ESET security researcher).
Palo Alto Networks hit by data leak https://t.co/ja7wC5Ujbu
— Aryeh Goretsky (@goretsky) November 29, 2019
(Source: Pexels Markus Spiske CC0 Lizense)
Incident confirmed
According to this article on Techradar, Palo Alto Networks has already admitted the privacy violation against the medium Business Insider. This led to the personal data of both former and current employees being shared online.
Palo Alto Networks, Inc. is a U.S. multinational cyber security company headquartered in Santa Clara, California. Its core products include a platform with advanced firewalls and cloud-based capabilities that extend these firewalls to other aspects of security. The company has more than 60,000 customers in over 150 countries.
Business Insider was alerted to the incident by a former Palo Alto Networks employee who wanted to remain anonymous. Palo Alto Networks then confirmed to Business Insiders that the personal data of around seven current and former employees had already been "accidentally" put online in February by an external service provider. The names, birth dates and social security numbers of the employees were made public.
Details remain unclear
However, Palo Alto Networks remains silent about the name of the external company and has not yet disclosed where the information has leaked. A spokesperson for the cyber-security company reported on the incident with Business Insider:
"We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals. We take the protection of our employees' information very seriously and have taken steps to prevent similar incidents from occurring in the future."
Whether the data protection incident is classified as 'accidental' or 'intentional' by the service provider is unknown.