Loading Dock Chaos: CIO Had No Idea What His Passwords Could Do
Written by Evan SchumanWhat happens when the keys to a retailer’s supply chain show up on Google? In the case of one multi-billion-dollar regional chain this week, it resulted in the ability of anyone to change the information of all loads expected at the retailer’s distribution centers—dates, times, contents of the load, number of pieces, weight, pallets, the product ready date and the vendor call date.
In short, in the hands of an evil-minded competitor (in retail, are there any other kinds?), that Google-provided password could do a huge amount to slow down a rival, in addition to knowing inventory shipment plans so they can be countered. It represents a critical security breach—and one that started with the simple decision to put a confidential manual in a Web site subdirectory. That single password—which was printed in that Google-available PDF—unlocked a third-party’s servers and revealed a supply-chain security hole large enough to drive a fleet of Mack trucks through.
What started this week with an analyst’s accidental discovery of a retailer’s confidential supply-chain manual PDF during a Google search morphed into a series of mega-headaches for the chain’s CIO. That now publicly available password opened detailed reports on every single shipment the chain did for as many months as the visitor wanted to see, including details of future shipments and the ability to edit and change those freight schedules. Although the system was supposed to first require shipment details from the user, it actually provided those details to anyone following on-screen guidance.
Due to the ongoing security exposure of this chain—which has yet to change the passwords—StorefrontBacktalk is withholding the retailer’s identity from this story. (Update: After this story was published, the password was changed. It was some four days after the chain was alerted to this problem, but it has now been changed.)
When we initially contacted the chain’s CIO, he didn’t think it was a concern; he believed that the password had extremely limited access, such as for generic routing instructions. Subsequent efforts, though, quickly changed his mind.
Leave a Reply
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Starbucks isn't going to replace their existing enterprise POS system with apps that have 1 percent of the functionality, control and reporting that they need to run their business. Likewise, I'm not going to replace my BMW with a free skateboard, just because both technically enable me to get from A to B.
-Gavin Phillips
