A backup drive on the publisher’s network exposed gigabytes of sensitive client data — including unpublished books, invoices, details of royalty payments, and contracts.
“House of Cards,” adapted for Netflix. (Image: CBS Interactive)
A high profile publishing firm and literary agency has left gigabytes of sensitive company and client data sitting on the open internet for anyone who knew where to look.
The data was found on an internet-connected backup drive on the network of Bell Lomax Moreton, a Kent, UK-based company, by the Kromtech Security Research Center.
The drive uses “rsync”, a protocol for synchronizing copies of files between two different computers. But the drive didn’t have a username or a password, allowing anyone to view the sensitive data. The drive was also listed on Shodan, a search engine for open and unsecured databases and devices connected to the internet.
It isn’t known how long the backup drive has been online and leaking data, but some of the files date back to 1999 and earlier.
Bell Lomax Moreton represents celebrities, former politicians, and well-known and award-winning writers, including author Michael Dobbs, whose novel “House of Cards” was later turned into a Netflix five-season series.
Among the leaking data, Kromtech found the company’s core financial files, ledger books, and several archive email inboxes of senior staff and company executives dating back years. The backup drive also had client contracts, details of royalties, and payment information — which included sensitive financial information, as well as banking numbers of the company’s clients.
The backup drive also had entire copies of client books of varying editions, translations, and versions — which could, if stolen by a malicious actor, be shared on file-sharing sites for free.
Several files also pointed to credentials for the company’s website, allowing users to log in and modify portions of the website.
The backup drive has since been secured, following several attempts by Kromtech and ZDNet to reach the company.
The company said it was “grateful” to Kromtech’s security researchers, but declined to comment when contacted by ZDNet.