2 Sensitive Data Disclosures – WordPress Security DEC, 2020
Be informed about the latest Sensitive Data Disclosures, identified and reported publicly in December 2020. As these Sensitive or Private Data Disclosures have a severe negative impact for any business, consider a security AUDIT. The following PLUGINS made headlines just last month.
- Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)
- Total Upkeep is more than just a “backup plugin”. It can help stop website crashes before they even happen. Website data loss can happen even if you’re doing everything “right”, like keeping your WordPress and plugins updated or having a backup plugin installed. There’s so many things outside of your control that could totally wipe out your website without any warning. Active installations: 60,000+
- Easy WP SMTP < 1.4.3 - Debug Log Disclosure
- Easy WP SMTP allows you to configure and send all outgoing emails via a SMTP server. This will prevent your emails from going into the junk/spam folder of the recipients. Active installations: 500,000+
BRIEF: Personal or Private data is information that must be protected against unauthorised access, preventing Sensitive Data Disclosures and data breaches.
What is Sensitive Data Disclosure?
The loss, misuse, modification or unauthorised access to your most sensitive data or personal data can damage your business, ruin customer trust, breach customer privacy and in extreme cases, might attract hefty fines by law regulations.
What is the impact of a Sensitive Data Disclosure?
Data privacy is becoming more and more imperative. In over 80 countries, personally identifiable information (PII) is protected by information privacy laws that outline limits to collecting and using PII by public and private organisations.
These laws require organisations to give clear notice to individuals about what sensitive data is collected, the reason for collecting and the planned uses of the data. In consent-based legal frameworks, like GDPR, explicit consent from the individual is required.
What kind of Sensitive Data are exploited??
Sensitive information includes all data, whether original or copied, which contains:
– Personal data: as defined by The EU General Data Protection Regulation (GDPR). A series of broad laws to prevent or discourage identity theft and to guard and protect individual privacy. In general, sensitive data is any data that reveals: Racial or ethnic origin; Political opinion; Religious or philosophical beliefs; Trade union membership; Genetic data; Biometric data; Health data; Sex life or sexual orientation; Financial information (bank account numbers and credit card numbers); Classified information.
– Protected Health Information (PHI): as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI under the law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.
– Education records: as defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.
– Customer information: as required by financial institutions to explain how they share and protect their customers’ private information.