Summary
TurgenSec became aware of a publicly accessible datastore which belonged to Skild (skild.com). The breach contained 11,964 unique emails and the data headings listed below.
Further data contained within this breach appears to contain information relating to the entries, judges and processes behind:
- 76 West (https://www.nyserda.ny.gov/All-Programs/Programs/76west)
- Grow NY (https://www.grow-ny.com/)
- 43 North (https://www.43north.org/)
Along with further documents and potential PII.
This breach was accessed and downloaded by an unknown third party.
Potential sensitive data headings (See Appendix A for a full list):
- Entry Status,
- Team Id,
- Team Name,
- Team Leader Id,
- Team Leader First Name,
- Team Leader Last Name,
- Race,
- Judge,
- Status,
- Judge Score,
- Comments,
- Bracket Category,
- Reason for not qualifying,
- Company Information,
- Company Name,
- Company Address – Street,
- Company Address – City,
- Company Address – State or Province,
- Company Address – Zip or Post Code,
- Country,
- Office Phone or Mobile Number,
- Year Company Formed,
- If you are a US based business
- What is your EIN tax number?
- If outside of the US
- Please include your company’s tax ID number that applies.
- Please include your company’s Dun and Bradstreet (DUNS) number.
- Does your business hold an MWBE (Minority/Women’s Business Enterprise) New York State certification?
- Does your business hold a SDVOB (Service Disabled Veteran Owned Business) New York State certification?
- Does your business hold any international| national| and/or state or city certifications similar to the two listed above?
- If you answered “Yes” to the above question, please list the certifications below
- Company Website
- Message_ID,
- Event_ID,
- Created,
- Sender,
- Recipient,
- CC,
- BCC,
- Subject,
- Message,
- Status,
- Delivery_Attempts,
- Delivered,
- Attributes,
- Campaign_ID,
- Execute_Delivery,
- Configuration_ID
What is Skild?
According to Capterra: “Skild helps organizations design and run successful challenges and competitions. They’ve run over 500 hundred challenges and other programs that have awarded over $100 million in prizes over the past 15 years. They’ve created an easy-to-use online software tool to manage submissions, judging, communications and public voting. Using their unparalleled experience, Skild guides clients through competition design, marketing and execution. Clients: Cisco, Disney & The National Science Foundation.”
TurgenSec Response
The information was left public facing where anyone with a browser and internet connection could access if they knew where to look.
We encourage Skild to submit the breached data to digital forensics specialists to ascertain the extent of this data breach.
We also encourage Skild to inform any relevant regulatory body, especially if there are UK or EU citizens data contained within the breach, as these should be reported to the local regulator (ICO in the UK). And to issue a public disclosure of this data breach explaining how this datastore breach occurred, including the full extent of what was breached so that the impacted companies, entrants, judges and host organisations can take the necessary steps to protect themselves.
Skild has informed us that all of their “legal and contractual” obligations have been met, but did not answer these specific questions posed by Turgensec:
- Have all of those impacted been informed of the true extent of the data breached so that they can take actions to protect themselves?
- Have you reported the incident to any relevant authorities? E.g. if there is European citizens contained within the potential breach then there will be legal obligations to disclose this to GDPR regulatory commissions (ICO in the UK), regardless of where a company is registered.
As Skild did not want to confirm either of these we were unable to ascertain if those people & entities impacted by this incident were notified we are publicly disclosing this breach.
Archive of statement updates
- 6th April 2021 – Statement V1.0 Released
Afterword
This breach is a case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture. Due diligence is not a box that can be ‘checked’ once and left thereafter, nor should Cybersecurity analysis be missing from this process – a problem we address in our products.
Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.
No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database.
There was no legal obligation for us to disclose this breach. Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in Appendix A. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.
Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would directly benefit the UK & international community through the global reduction of cyber crime.
Appendix A
Note: Additional headers existed relating to specific questions and answers, but have not been included in this Appendix due to space limitations.
- ——– 1 – 2019 YTD
- ——– 1 – Annual Financial Performance
- ——– 1 – Assumptions
- ——– 1 – Budget
- ——– 1 – BUDGET (USD)
- ——– 1 – Cash Flow
- ——– 1 – Constants
- ——– 1 – Cover
- ——– 1 – Dashboard
- ——– 1 – Expense report
- ——– 1 – Financials
- ——– 1 – Forecast
- ——– 1 – IBM financial summary
- ——– 1 – IBMGNY Financial Summary
- ——– 1 – Key Activities
- ——– 1 – P&L Summary
- ——– 1 – Projected
- ——– 1 – Re-Nuble Financials
- ——– 1 – Sheet1
- Clean Energy Impact (16.7)
- Clean Energy Impact Comments
- Customer Value(16.6)
- Customer Value Comments
- Business Model Viability(16.6)
- Business Model Viability Comments
- Technical Viability(16.7)
- Technical Viability Comments
- Southern Tier Economic Impact (Job Creation)(16.7)
- Southern Tier Economic Impact (Job Creation) Comments
- Team(16.7)
- Team Comments
- Product or service fits the guidelines of Food and Ag(25.0)
- Can at least 2 of the 4 early stage company criteria apply?(25.0)
- Has the business entity been confirmed?(25.0)
- Is the business model scalable?(25.0)
- Viability of Commercialization and Business Model (20.0)
- Customer Value(20.0)
- Food and Ag Innovation(20.0)
- Grow-NY Regional Job Creation(20.0)
- Team(20.0)
- Product or service fits the 76West clean energy definition. (30.0)
- Does the entry meet at least 2 of the 4 criteria?(60.0)
- Business Entity(10.0)
- Entry Status
- Team Leader First Name
- Team Leader Last Name
- Judge
- Judge Score
- Comments
- Company Information
- Company Address – City
- Company Address – Zip or Post Code
- Does your business hold an MWBE (Minority/Women’s Business Enterprise) New York State certification?
- Does your business hold a SDVOB (Service Disabled Veteran Owned Business) New York State certification?
- Does your business hold any international| national| and/or state or city certifications similar to the two listed above?
- If you answered “Yes” to the above question| please list the certifications below.
- Company Website:
- Company Logo: Vector File
- Entry Id
- Team Id
- Team Name
- Team Submission Status
- Competition Status
- Submission Timestamp
- Team Leader Id
- Team Leader Name
- General Tags
- SubCategory Tags
- Grown-NY Finalist Entry Form
- Company Name
- Company Address – Street
- Company Address- City
- Company Address – State or Province
- If you are not located in the United States| enter your state or province here
- Company Address- Zip Code
- Country
- If United States based| in which state is your company incorporated?
- Office Phone or Mobile Number
- Year Company Formed
- If you are a US based business| what is your EIN tax number? If outside of the US| please include your company’s tax ID number that applies.
- If applicable| please include your company’s Dun and Bradstreet (DUNS) number.
- Company Website
- Company Logo: JPG or PNG
- Company Logo: Vector File (If available)
- Message_ID
- Event_ID
- Created
- Sender
- Recipient
- CC
- BCC
- Subject
- Message
- Status
- Delivery_Attempts
- Delivered
- Attributes
- Campaign_ID
- Execute_Delivery
- Configuration_ID