2018-08-15 Potential data breach
- Frederic Randriamora (Unlicensed)
- Andy Nash (Unlicensed)
| Date | 2018-08-15 |
| Authors | Frederic Randriamora / John Simmons |
| Status | In progress/Complete |
| Summary | Credentials available on a public GitHub repository |
| Impact | Access to apps in dev |
Root Cause
Credentials to the TIS Dev environment were published on a non HEE public GitHub repository.
Likely cause, ex-HEE employee, Kais Malique (DBA in the National Data Warehouse team) created a separate repository (referenced in the email sent to us) into which he put credentials to access both HEE Tableau and HEE TIS app. As a free GitHub repository, this was defaulted to 'Public'.
Trigger
Mark Baldwin (HEE IT Web Architect) found a public GitHub repository that looked like it had a HEE Tableau and HEE TIS Dev username and password in it. When the TIS team heard about the issue, we began our investigation.
Resolution
Ray has been able to contact Kais and he has now removed the content from the repository.
Determined that the script was written in PowerShell which we do not use in the project.
TIS team have checked all our HEE TIS repositorys and confirmed the script in the screenshot sent to us was not copied from them.
Determined that regardless of where the script was posted, the credentials listed in it could not be used to access confidential data. The credentials in the script for TIS gives access to the TIS app in the Dev environment. In this environment, data is obfuscated. The credentials do not give access to any of the other environments. So we are confident that no data breach has occurred.
From our investigation, we have, however used it as an opportunity to take some action items to further improve security:
Action Items
| Action Item | Type | Owner | Issue |
|---|---|---|---|
| Find all the clear text credentials and encrypt them | mitigate/prevent | DevOps | |
| Make sure all the TIS git repositorys are private | mitigate/prevent | DevOps | |
| Make sure forking is forbidden | mitigate/prevent | DevOps / Scrum Master | |
| Treat the account as compromised and remove it | mitigate/prevent | DevOps | |
| Double check the user has no access to the databases | mitigate/prevent | DevOps |
Timeline
| 2018-08-15 T:15.23 | Initial email from Mark Baldwin to HEE IT heads |
| 2018-08-15 T:16.01 | Email trail passed to TIS team to investigate |
| 2018-08-15 T:16.58 | HEE TIS DevOps initial investigation indicated no data breach had occurred |
| 2018-08-16 T:07.53 | HEE TIS Dev team confirm script not on any HEE TIS public repository, and filed this incident log |
Supporting Information
e.g. monitoring dashboards
Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213