Security company Assist Security exposed over 100,000 sensitive files publicly
The exposed company files, were mainly PII from guard applications, vetting and assignments.
Who is Assist Security?
“Assist Security Group are tailored, comprehensive, and professional security experts delivering solutions that address each client’s unique needs and challenges.
Our professional security experts provide a service for protection that is targeted towards a 6-Point Security Solution: People, Partnership, Protection, Prevention, Presentation and Planning.” from assistsecurity.co.uk website
Finding the exposed data
On October 23rd while doing research I flagged a server for PII exposed, I was just flagging potential things to report that day so I only started looking at the server contents the week after.
On October 28th I looked at the file count and the server contents closer and noticed the documents were mainly related to guard vetting and applications:
File count: 124,035 Size: 46.48 GB
Some of the files exposed included:
Application forms TrustID validated documents SIA(Security Industry Authority) cards Previous employment reference requests Site induction reports and agreements Shift and employee lists Payroll data
The induction reports included brand stores such as Armani, Balmain, Versace and others.
There were also spreadsheets with wages and job locations.
It’s hard to get the full scope of what was exactly exposed. The server contained hundreds of directories, a lot of them related to specific individuals, this included data of people who started the application process and quit or got denied eventually so some people had more data exposed than others depending on where the process stopped. People who were approved would have more exposed, that could include things such as payroll data.
The files came from a backup generated around August 2023 and contained years worth of information, invoices dating as far back as 2005.
Notifying the company
I saw all the data was related to Assist Security so I started looking for emails to contact.
After finding the Director of Intelligence & Risk and a couple company emails I sent an email notifying the company.
A day after my email the server refused non authenticated connections.
On November 2nd and since I had not heard back from the company I sent an email asking what were the companies intentions regarding the disclosure of this incident.
Communication with Assist Security
On November 6th I finally got a reply from the company.
The email I received thanked me for the responsible disclosure and said among other things:
“During our review we confirmed that it was only the data structure that was exposed - If you have reason to believe this was not the case, please do advise as such so that we can further review. We appreciate your efforts to help us mitigate this security issue.”
Assist Security also mentioned they were evaluating the disclosure of the incident.
Since I’ve explained what was exposed above, it’s easy to see their review clearly missed that the data was actually exposed and not just the file structure as they were claiming on the email so I replied to them explaining that over 100,000 files were exposed for download publicly, it wasn’t just the file listing and that I would give them time to evaluate if they needed to disclose this incident before I made my post.
And I waited for over a month, on December 19th 2024 I was working on the draft for this incident and since Assist Security never updated me I sent an email asking if they had any update and if they wanted to provide an official statement to be included on my post.
Two days later I got a short reply that said:
“Thank you again for bringing this to our attention – we have conducted an assessment with our legal advisors and don't see this as a reportable breach, however if you have evidence to the contrary, please share.”
The information on this server was quite sensitive and very high risk in the hands of the wrong people and the fact that the company never asked me for any IP I used to access the data or what I even accessed combined with them telling me this was just the file structure made me doubt they had checked any logs, if they even had any to begin with.
I sent another email asking them if they did have logs that proved no one accessed this on the time span that the server was exposed publicly.
I was told the message was forwarded to the legal team for review and since this was close to the holidays it’s possible they couldn’t get back to me before 2025, so I told them I would postpone my publication again to give them time to reply back.
On January 13th 2025, with no reply yet again, I emailed Assist Security asking if there was any update or official statement they wanted to provide before I published this.
At the time of publication, Assist Security had not replied to my email, the post will be updated if I get a reply.
Final notes
Even though I flagged this server on October 23rd and it got closed less than a week later on October 29th, this does not mean the server wasn’t exposed for longer than that, Assist Security never provided me any information regarding this.
I am yet again left chasing companies for replies and updates and keep hearing all kinds of excuses and straight wrong claims to try and minimize the incidents I deal with. This is not an isolated thing either and it’s one of the reasons I often file complaints with data protection authorities with all the information I have including my posts.
As I usually do with all the United Kingdom incidents I find, this post will be forwarded to the UK ICO so they can file my information next to the companies report, in case there is one, and assess whether notifications to their office and individuals are required.