P2021-ND-017

The Organization provides salary compensation information to its service provider, Korn Ferry, on an annual basis. On June 26, 2020, Korn Ferry learned, through a blog post by a security researcher, that an Amazon Web Services S3 Server (AWS S3 Server) contained data submitted to Korn Ferry by the Organization related to 2018 salaries. The data was inadvertently made publicly available on the AWS S3 Server on July 24, 2019 and was removed on June 26, 2020. The Organization was initially notified of the breach on July 1, 2020. On July 10, 2020, the Organization was informed by Korn Ferry that it assumes that the information has likely been viewed and/or downloaded and has no reason to believe the security researcher is incorrect.
? The Organization reported that Korn Ferry does not know whether the data was viewed or downloaded because logging was not enabled on the AWS Server.
? The security researcher identified an actor operating on the dark web selling access to the data. The security researcher claims to have acquired the information sold by the actor.

File Type: pdf
File Size: 599 KB
Categories: 2021