Loading Dock Chaos: CIO Had No Idea What His Passwords Could DoWritten by Evan Schuman
What happens when the keys to a retailer’s supply chain show up on Google? In the case of one multi-billion-dollar regional chain this week, it resulted in the ability of anyone to change the information of all loads expected at the retailer’s distribution centers—dates, times, contents of the load, number of pieces, weight, pallets, the product ready date and the vendor call date.
In short, in the hands of an evil-minded competitor (in retail, are there any other kinds?), that Google-provided password could do a huge amount to slow down a rival, in addition to knowing inventory shipment plans so they can be countered. It represents a critical security breach—and one that started with the simple decision to put a confidential manual in a Web site subdirectory. That single password—which was printed in that Google-available PDF—unlocked a third-party’s servers and revealed a supply-chain security hole large enough to drive a fleet of Mack trucks through.
What started this week with an analyst’s accidental discovery of a retailer’s confidential supply-chain manual PDF during a Google search morphed into a series of mega-headaches for the chain’s CIO. That now publicly available password opened detailed reports on every single shipment the chain did for as many months as the visitor wanted to see, including details of future shipments and the ability to edit and change those freight schedules. Although the system was supposed to first require shipment details from the user, it actually provided those details to anyone following on-screen guidance.
Due to the ongoing security exposure of this chain—which has yet to change the passwords—StorefrontBacktalk is withholding the retailer’s identity from this story. (Update: After this story was published, the password was changed. It was some four days after the chain was alerted to this problem, but it has now been changed.)
When we initially contacted the chain’s CIO, he didn’t think it was a concern; he believed that the password had extremely limited access, such as for generic routing instructions. Subsequent efforts, though, quickly changed his mind.