Date	2018-08-15
Authors	Frederic Randriamora / John Simmons
Status	In progress/Complete
Summary	Credentials available on a public GitHub repository
Impact	Access to apps in dev

Root Cause

Credentials to the TIS Dev environment were published on a non HEE public GitHub repository.

Likely cause, ex-HEE employee, Kais Malique (DBA in the National Data Warehouse team) created a separate repository (referenced in the email sent to us) into which he put credentials to access both HEE Tableau and HEE TIS app. As a free GitHub repository, this was defaulted to 'Public'.

Trigger

Mark Baldwin (HEE IT Web Architect) found a public GitHub repository that looked like it had a HEE Tableau and HEE TIS Dev username and password in it. When the TIS team heard about the issue, we began our investigation.

Resolution

Ray has been able to contact Kais and he has now removed the content from the repository.

Determined that the script was written in PowerShell which we do not use in the project.

TIS team have checked all our HEE TIS repositorys and confirmed the script in the screenshot sent to us was not copied from them.

Determined that regardless of where the script was posted, the credentials listed in it could not be used to access confidential data. The credentials in the script for TIS gives access to the TIS app in the Dev environment. In this environment, data is obfuscated. The credentials do not give access to any of the other environments. So we are confident that no data breach has occurred.

From our investigation, we have, however used it as an opportunity to take some action items to further improve security:

Action Items

Action Item	Type	Owner
Find all the clear text credentials and encrypt them	mitigate/prevent	DevOps
Make sure all the TIS git repositorys are private	mitigate/prevent	DevOps
Make sure forking is forbidden	mitigate/prevent	DevOps / Scrum Master
Treat the account as compromised and remove it	mitigate/prevent	DevOps
Double check the user has no access to the databases	mitigate/prevent	DevOps

Timeline

2018-08-15 T:15.23	Initial email from Mark Baldwin to HEE IT heads
2018-08-15 T:16.01	Email trail passed to TIS team to investigate
2018-08-15 T:16.58	HEE TIS DevOps initial investigation indicated no data breach had occurred
2018-08-16 T:07.53	HEE TIS Dev team confirm script not on any HEE TIS public repository, and filed this incident log

Supporting Information

e.g. monitoring dashboards

Browser not supported