Months have been spent planning and millions have been invested. It is nearly time for the big announcement introducing the world to a market-disrupting innovation. But suddenly your plan is shattered as your organization’s secret announcement virally spreads across social media, and you realize your headlines have been stolen.
The cause? A malicious breach by a hacktivist, a disgruntled insider leaving to a competitor, or a rogue partner looking to make a name for themselves? None of the above. It was an accidental leak from your own corporate website. Your own corporate website, really?
As advanced cybersecurity systems, training, and policies are widespread today, the accidental publishing of confidential or personal information to a corporate website should be extremely rare and innocuous at best. But you should think again. Some of the most noteworthy data leaks in the past few years – Apple, FaceBook, LinkedIn, the U.S. Army, and the recent Red Cross data leaks – resulted from accidental website leaks.
We compiled seven website leaks in technology, sports, and entertainment that have recently shocked the world, prematurely exposed data that impacted a forthcoming announcement in each case.
Google’s Pixel Phone
Canadian wireless carrier Bell accidentally listed Google’s new Pixel phone on a link to preorder Samsung’s Galaxy Note7 on October 2, 2016. The problem? The Pixel announcement didn’t happen until October 4. It didn’t matter that the title and URL of the page was for the Galaxy Note7, as the image and copy was for the Pixel phone. So much for Google’s “October surprise.”
PlayStation EU Blog Preempts PlayStation Now Release
The PlayStation EU Blog announced on August 23, 2016 that the PlayStation Now will be available on the PC approximately two weeks before the official product launch and announcement on September 7, 2016. So what did gamers found out on September 7 that they already didn’t know on August 23?
EA Sports Prematurely Reveals New Manchester United Kit
Sports video gaming company EA Sports displayed a photo of United Manchester Star Anthony Martial wearing next season’s jersey on its website, quickly deflating the build-up to the club’s announcement of its new kit (jersey).
The Xbox Store Reveals First Features of “Madden 17”
May 12 was an important date for those who play Madden NFL Football. It was the date when the cover athlete was named and also the day for the release of the first trailer. But on May 12, images from the Madden 17 were posted by The Xbox Store and tweeted out, all but spoiling the surprise and ruining the announcement.
Lionel Messi Leaked as 2015 Ballon d’Or Winner
Lionel Messi was leaked as the winner of the FIFA’s prestigious 2015 Ballon d’Or (men’s category) a week prior to the actual ceremonial announcement on January 11, 2016. FIFA attempted to deny the news with a series of tweets and announcements. We are left to wonder how much suspense and uncertainty hung in the air at the award ceremony when the words, “And the winner of the 2015 Ballon d’Or is …,” were spoken.
Disney Floats Opening Date for “Rivers of Light”
The opening of Disney’s “Rivers of Light” at its Animal Kingdom in Walt Disney World was accidentally disclosed when it added information, which was subsequently removed, about a variety of special dining packages for Rivers of Light beginning May 1, 2017. Now that the light at the end of the river is known, including restaurants, menu options, and prices, the much anticipated release is no longer anticipated.
The Sun Online Shines the Light on X Factor’s Sixth Chair Challenge
The Sixth Chair Challenge is a big lure for the audience of the X Factor. Hopefuls are awarded a seat but have it taken away and given to another contestant. The uncertainty of the final outcome of the show is what keeps the audience engaged. The Sun Online, a modelling agency, posted the results of the challenge seven weeks prior to the final outcome on its website. So much for the “x factor” and keeping the audience in suspense.
How to Prevent Accidental Website Leaks
The shocking reality behind embarrassing website leaks is that most of them can easily be avoided. In a time of extreme pressure and last-minute deadlines, organizations can no longer simply depend upon human processes to review and control what information should be shared with third parties and when it should be posted on their website. A safety-net that monitors for an accidental release of confidential information prior to the announcement date can go a long way in automating the avoidance of a public-relations disaster.
Information security teams can easily enhance their existing web technology (reverse proxy) to ensure web content is automatically inspected at the most granular levels, and then redacted and sanitized prior to being published on the corporate website. This includes the detection and removal of confidential information parsed and distributed as web copy, images, complete or sub-file documents, as well as information that has been copied and pasted into other marketing and communication form factors.
Automatically sanitizing all documents being published removes often overlooked revision history, comments, and hidden metadata that can be embarrassing if distributed outside the organization. Imagine if you mistakenly sent an embargoed press release to hundreds of media publications that included internal comments discussing positioning and competitive strategies.
Adaptive security policies are key to identifying and preventing accidental leaks without disrupting time-sensitive communications with burdensome false positives. Redaction and sanitization policies can be configured to remove only the confidential information detected, allowing the rest of the post or communications to continue without quarantines or delays.
Adaptive security policies will only be successful in a dynamic organization when the stakeholders who have the most to lose and are the closest to the project are empowered to protect their confidential information. IT security departments may not be familiar enough with the confidential information associated to the announcement (e.g., new design image, logo, or product names) to set the appropriate policies. As a result, enabling adaptive classification and crowd-sourced security policies to be set by key stakeholders helps ensure complete protection.
Key Accidental Website Leak Prevention Tips
- Enhance existing web proxy to inspect and remove confidential information (if not currently available on existing proxy, vendor independent ICAP add-ons are available)
- Sanitize all shared documents to automatically remove hidden revision history, comments, and metadata
- Leverage redaction policies to remove only confidential information, thereby eliminating delays and false positives
- Empower key stakeholders to classify confidential information related to their announcement by crowdsourcing information security policies
By Scott Kosciuk, Clearswift