SafetyFirst FTP server compromised exposing customer data

SafetyFirst is a driver training firm based in Parsippany, NJ. Today they made it known to customers in California that they suffered a data breach.


SafetyFirst is a driver training firm based in Parsippany, NJ. Today they made it known to customers in California that they suffered a data breach that may very have exposed the drivers license information of their customers. The breach took place on September 27, 2013 and was discovered on April 2, 2014. Just over six months.

On April 2, 2014, SafetyFirst became aware that an FTP server used to back up your drivers’ data was publicly accessible, resulting in unauthorized access to your drivers’ personal information. SafetyFirst immediately disconnected the FTP server to prevent further unauthorized access to the data on the server. SafetyFirst then launched an investigation into this matter to determine what information was exposed and how the server was being accessed. To assist with this investigation, SafetyFirst engaged the services of an independent forensics investigation firm.

OK…so… /me places sharp objects in a drawer.

Why on earth were they backing up personally identifiable information to an FTP server in the first place? Let’s set aside the fact that this data was accessible to anyone who could enter a search into Google, Bing or what have you. FTP is a clear text protocol. For the uninitiated readers this means that anyone that has the ability to do so, can see all of the information that is passed from point A to point B as it is unencrypted.

Normally I’m empathetic when a company gets compromised as there could be any number of issues that resulted in a breach. In this case this was just a bad idea. At no point should this data have ever been passed over FTP. My next question would be, “Was the data even encrypted?” Waiting to hear back on that point but, bearing in mind the first point I'll guess the answer is no.

So, how did this happen? It turns out that someone goofed during a system upgrade and the system was made publicly accessible. In a move to try and stuff the genie back in the bottle SafetyFirst “has requested that these websites remove the content to prevent further unauthorized accesses to the CLIENT data. SafetyFirst has received confirmation from these websites that CLIENT data has been removed”.

I want to feel bad for them. I really do. In this case I simply can’t. This should not have been designed in this matter.

Is your customer data being backed up via FTP or something similar? Time to take a moment and review your backup strategy.

Remember, safety first.

(Image used under CC from Pascal)

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
New Year's resolution: ‘I will eliminate passwords’ in 2017
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.