P2019-ND-093

Entrust Disability Services, as reported by Box Clever

The Organization is a web design company. The Organization reported the following with respect to the website www.entrustdisabilityservices.ca:

Issue #1: Directory Access
Upon investigation of the issue, it was determined that between December 27, 2018 and January 11, 2019 a server misconfiguration allowed for directories on websites to be indexed. This created the potential for certain files to be accessed that should not have been. When this misconfiguration was discovered on January 11 it was fixed immediately. The folder that was made accessible was called “/public” and its purpose is to hold files needed to render websites, such as images, Javascript, and CSS files. Our initial assessment of the impact of the misconfiguration was that it posed a minimal risk.

Issue #2: File Storage Locations
On January 14, a second issue was discovered; a bug in the code that was incorrectly storing certain files in a sub-folder of “/public”.

Issue #3: Search Engine Indexes
The combination of storing these files in an incorrect location and then allowing that location to be accessed may have resulted in access to these files. The probability of people discovering these files was extremely low. Our primary concern is with automated crawlers, bots, and search engines discovering the files, and then subsequent access by human visitors via search results.

File Type: pdf
Categories: 2019
Tags: Unauthorized disclosure