A GitHub repository was public-viewable

Update March 7, 2022: We appreciate the feedback from the community and our customers, and additionally emailed users as part of this disclosure (and Discord, live video shows). We apologize for not doing that in parallel as the post/disclosure on Friday, March 4, 2022.

We’ve recently become aware of an inadvertent private-to-public viewable GitHub repository that could have enabled unauthorized access to information about certain user accounts on or before 2019.

The inadvertent disclosure involved an auditing data set used for employee training becoming public, on a GitHub repository associated with an inactive former employee’s account who was learning data analysis. The repository contained some names, email addresses, shipping/billing addresses and/or whether orders were placed successfully via credit card processor and/or PayPal, as well as details for some orders. There were no user passwords or financial information such as credit cards in the data analysis set.

Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved. Although we are unaware of any actual misuse of the information, we are providing this notice to you for transparency and accountability. We are additionally putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use.

As a reminder, for your security, we will never send you a link to reset your password as part of a security alert, our customer support team will never contact you asking for your password. If you receive an email of this nature, or otherwise suspect that someone is attempting to gain access to your account or solicit your personal information, or have any other questions about this process, please contact us at [email protected]

We would also like to thank all individuals who have and continue to contribute to the security of our users by disclosing vulnerabilities to us responsibly https://www.adafruit.com/reportingsecurityissues

Why aren’t we sending an email to every user?
We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case. Adafruit publishes all security disclosures on our blog and security pages. There is no action for the users to perform. There were no user passwords or financial information such as credit cards in the data analysis set.

We will continue to update the disclosure page with additional details and/or clarifications. The data set was unintentionally made public during an employee exit procedure handoff.

Update March 7, 8, 9, 10, 2022: Users notified via email (emails will contain “datanotifications” and be from the adafruit.com domain), Discord, & live video show(s) “Show and Tell”, ASK an ENGINEER.

https://www.adafruit.com/reportingsecurityissues
https://www.adafruit.com/responsibledisclosurethanks

Previous disclosure post(s):
https://blog.adafruit.com/2016/11/01/keeping-your-account-protected/

Phillip Torrone, Managing Director & Limor “Ladyada” Fried, founder and the Adafruit team – Adafruit, 150 Varick Street, NY, NY 10013

Here are additional notes and video clips from our shows during the disclosure, as we worked with our community, answered questions via email, live video chats and more, we’ve collected them and put them here to preserve them and refer to later as needed. ASK AN ENGINEER MARCH 10, 2022 (12 min, 38 sec).

Why does anyone have access to PII other than for the actual operation of the web site and business?
• Employees at Adafruit only have access to or use PII for the necessary operation of the business and web site. The PII in this incident was data used in a legitimate monthly audit. The code and dataset folder the employee was working on were committed to their private GitHub account, without our knowledge and against our internal policies and standard practices, during the hand-off from the previous employee running the auditing tool.
• We chose the phrases “training” and “learning data analysis” in our disclosure because the incident occurred during the handover of the task, while training the employee to run the audit. The employee was not performing purely “learning / training” exercises using PII.
• Neither employee had access to PII data directly from our production database. The PII was part of a monthly generated order history report used to perform the audit.
• We are taking further steps designed to ensure that any generated report contains the minimum necessary customer information and are introducing additional training and education for the handful of Adafruit employees who interact with this type of data.

Is there something unique about Adafruit that prevents simulated, generated or otherwise “masked” data from being used development and testing?
• Adafruit uses simulated / scrubbed / “masked” data in development and testing environments and has for several years. We take appropriate steps designed to ensure that we do not use unscrubbed customer data in development or testing environments.

Additionally is there any limitation to which employees should be able to access PII and other sensitive data?
• Yes, several. We have an internal permissions system which are designed to prevent access to any tools, systems, or reports that are out of scope for a given employee’s role and responsibilities. Adafruit employees do not have access to our production database outside of a handful of trained IT professionals. We are taking further training and education steps with our staff in light of what happened here.

March 4, 2022 AT 8:00 am