JRD Security Incident Notification

Breach ref #: 2020/01/JRD

Details of breach

Involved parties	InterGen Web Solutions (https://intergen.org), Polished Geek (https://polishedgeek.com), Other parties yet unknown pending further investigation
No. of people potentially affected:	2,700 individuals were affected. Users with an account on resources.joomla.org
Nature of breach:	Exposure of personal data
Description of breach:	JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach. Known to the current Team Leader at the time of the breach. (https://volunteers.joomla.org/teams/resource-directory-team) Each backup copy included a full copy of the website, including all the data. Most of the data was public, since users submitted their data with the intent of being included into a public directory. Private data (unpublished, unapproved listings, tickets) was included in the breach. The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters.
Common Vulnerabilities and Exposures (CVE) of vulnerability	None
How we became aware of the breach	Internal website audit
Data potentially affected	Full name Business address Business email address Business phone number Company URL Nature of business Encrypted password (hashed) IP address Newsletter subscription preferences
Consequences of the breach	Personal data contained in JRD could have been accessed by a third-party.
Advisory	Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.

All the accesses to the website have been suspended during the investigation phase.

Risk Assessment

Negative impacts of the data breach to individuals

Right impacted	Assessment	Risk Level
Financial Loss	There was no payment data exposed, which means that the risk of financial loss to individuals is extremely low.	Extremely Low
Damage to reputation	No reputational data was exposed, no reviews, comment about activities, or similar data was exposed so the risk of damage to reputation of individuals is extremely low. The database that was exposed did not contain any reputational data.	Extremely Low
Discrimination	No data that could lead to discrimination or sensitive data was included in the directory so it could not be exposed in the data breach. The risk of discrimination to individuals is extremely low.	Extremely Low
Identity theft or fraud	Data that would be typically used for the purposes of identity theft or fraud such as driver’s license numbers, social security numbers, mother’s maiden name was not included in the database. Usernames and passwords were included in the database, however Joomla has always encrypted passwords and does not hold them as free text. It was therefore considered that the risk for individuals in terms of password recoverability was low.	Low
Limitation of data subject rights	The risk to individuals is that the data will be used for marketing/advertising purposes without consent. However, individuals supplied the data to submit it to a public database so they were aware that the data would be public. However, certain data that was provided by the individuals was not intended to be public but is now available to the third party. The data subject rights of consent, ability to withdraw from direct marketing and the ability to withdraw consent would be impacted. However, not all or most data subject rights will be impacted or limited by this data breach. The team has agreed that the risk to the limitation of data subject rights is medium	Medium
Loss of control over data	The data has been breached and control over data has been lost. The risk of loss of control over data is high in this case.	High
Unauthorized reversal of pseudonymization	In this case, the personal information was not masked with pseudonymization. Thus, there is no risk of reversal of pseudonymization.	Not applicable
Any other significant or economic disadvantage	The team could not see a significant or economic disadvantage that could affect the data subject.	Extremely Low

Overall Risk Classification

Overall risk to data subjects as a result of this data breach: the team determined that the risk to data subjects is low to medium.

Report to Privacy Authorities was not necessary due to the Risk level.

Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware.

Actions taken to increase the security and prevent eventual breaches

General - System Audit

Akeeba Backup configuration check:
Everything removed and the official backup configuration implemented with full encryption to organizational approved locations, with internal triggers.
- Multiple backup profiles to third-party AWS S3 Locations.
- Backups without passwords.
- Backups without encryption key
External connections check:
All connections from external services removed.
- Third party service used to trigger the backups remotely.
- Third party service used to do audits.
Communication streams:
Removed / Converted private mail address to organizational ones and blocked access to external support parties.
- Ticket notifications to private mail address instead of organizational ones.
- Support from external parties without clear responsibility separation by using ACL.
CPANEL / Hosting level:
- Removed all custom FTP & SSH accounts.
- Changed access credentials.
- Changed database user & password.

Joomla Specific - System Audit

Users
- Removed all users not logged in before 2019-01-01 without any relation to tickets, articles, listings etc.
- Changed all users to Registered when not participating in the team or anywhere in the organization and have reason to access the backend structure.
- Removed all unused groups and access levels.
- Removed all not allowed staff from the ticketing system.
- Removed Super User accounts owned by individuals outside Open Source Matters.
Authentication:
- Enabled 2FA features (Google & Yubikey)
- Configured the password requirements in Joomla!
Outdated / Not used Extensions:
- Uninstalled 7 Components
- Uninstalled 5+ plugins
- Uninstalled 10+ modules
- Uninstalled third party template
Other improvements:
- Enabled ReCaptcha for registration and other form factors.
- Updated all used extensions manually or through the update mechanism
- Secured mail sending features.
- Configured the Joomla Privacy Features
- Increased PHP version to 7.3 for additional security
- Corrected template overrides to enable Joomla CMS released security fixes.
- Cleaned the database of 750+ old tables, data etc.

Organizational Measures

Internal Audits
- Gave the mandate to the Webmasters Team to conduct regular audits of the *.Joomla.org websites.
- Enforced the signature of a Non-Disclosure Agreement to all the people with access to personal data.
- Started the preparation of a Data Processing Addendum to be signed by all the people with access to personal data.
Breach specific
- Issued a complete data deletion request to the involved third-party.

We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding.

The Incident Response Task Group involved: Luca Marzo, Wilco Alsemgeest, Donata Kalnenaite, Marco Dings, Hugh Douglas-Smith, Radek Suski, Jaz Parkyn, Achilleas Papageorgiou, Kleanthis Dellios, David Jardin.

Details: Written by: Joomla Incident Response Task Group; Published: 28 May 2020