8 comments

[ 4.0 ms ] story [ 28.9 ms ] thread
Envoy, specifically, a startup that manages physical workplace access (ie. "Empower employees to reserve a desk in the workplace"), all with redundant storage of potentially sensitive employee information, like names, phone numbers, ID documents, legal agreements, physical access badge data and photos, etc.

Kind of surprised we haven't heard more about hacks among the proliferation of underbaked startups that backfill basic workplace and HR services.

But they’re SOC 2! /s
brb, getting my security team to endorse closing offices and going remote work-only because it reduces our online attack surface
Completely irrelevant, this triggers me how broken the workplace is while there’s a huge push to get people back to the office.

> "Empower employees to reserve a desk in the workplace"

This business shouldn’t have a need to exist at all!

At home I have a separate office, set up how I like/most productive. It just works and a nice productive environment. No having to *book*/find a desk, no broken monitors, cables, hubs or chairs. No being told to move as you found a comfy spot with working equipment and get in to the office consistently early to use that spot for multiple consecutive days.

According to Envoy CEO the Atlassian API key was compromised. Not saying how.
Atlassian decides which vendors they use and which vendors have access to their data. It's Atlassian's responsibility to protect the data that they have and to make sure that anyone they share that data with is taking similar steps. This is Atlassian's failure, their fault, and their responsibility. Hopefully they are right and no customer data was at risk.
Um. It doesn't matter how the attackers get your user's data - if they get it by compromising a third party, that means you had already given a third party full and unencrypted access to your user's data. I would bet anyone "agreeing" to let you share data with other companies assumed you were doing the standard "we help ad companies spy on you" BS, and not "all our data security claims are BS because we're providing full access to all your data to completely unrelated companies"
you didn't read.

it wasn't customer data - it was Atlassian employee data, which is exactly what is required to use Envoy