Who we are
We are a cyber security consultancy that aims to protect private data, identify data leaks, and follow a responsible disclosure policy.
We have worked for several well known security and software companies to obtain the knowledge and skills to conduct the research we do. Our data discoveries have been covered in major news and technology media from around the world.
It is our mission to identify data exposures and help protect the data of everyone who may be affected by data leaks, breaches, and hacking. As consultants we work with various companies, organizations, and institutions to provide guidance throughout the disclosure process. We are dedicated to discovering digital risks and violations and then reporting that information in a responsible way. The scope of our research is to identify cyber threats, data leaks, and protect sensitive data.
We value your privacy and the privacy of the data we discover. We know that cyber-criminals target user data for a wide range of crimes. These crimes can be everything from identity theft to cyber espionage and stealing intellectual property.
Cyber-criminals and even state sponsored hacking groups are focused on finding an organization’s weak points and once they do they will launch a series of targeted cyber-attacks. We have seen time and time again that most companies large and small have security teams that are underfunded and understaffed. In the age of ever evolving cyber risks most organizations can not provide complete privacy protection. Once a data breach or a hack has happened they need help to understand what happened and why.
Is this data legal?
When data is publicly available to anyone with an internet connection it is considered “public” even if it is sensitive or should not be online. Our legitimate interest as cyber security researchers provides the lawful basis for processing and identifying this data to help secure it from public exposure.
Here is the type of analysis that we conduct.
Purpose test: do we have a legitimate interest in data security ?
• Yes. processing for the purposes of information and data security as the overriding legitimate interest is allowed under the GDPR regulations (Europe) . (recital 49)
Necessity test: is data processing necessary for identification and legitimate interest ?
• Yes. The ability to review the data and conclude it’s sensitivity helps us secure the breach and protect the data from further exposure.
Walking a fine line with responsible disclosure:
• We are open and transparent with our discoveries
• Most data owners or managers understand the value of our efforts and due diligence in identifying the data.
• We identify and then limit our own access to data for verification purposes only and securely delete that data after all disclosures have been made.
Our process and how we find data that has been exposed and vulnerabilities.
There are many different ways and methods to find data breaches, leaks, and other vulnerabilities online. We have developed our own proprietary tools that help us analyze data and we also use the Shodan Search Engine.
Once a public database has been discovered we pull samples of that data and manually analyze it to see exactly what we are looking at. When we discover private and sensitive data that’s fully accessible to anyone without any passwords or other restrictions we contact the owners of that database to help secure it. Our goal is to provide assistance in protecting their private data and that of their users or customers.
Our disclosures policies ensure that :
• Details of the data exposure and the information about the organization responsible for the data breach.
• Data we discover is not changed, modified, or altered in any way.
• We make sure the data is no longer exposed before making any details available publicly on security discovery.com or other news media.
• We do not share leaked data with any third parties or agencies unless asked to cooperate with law enforcement agencies.
Specific details about the data we discover:
• Count of containing elements in data store
• Date of scan
• IP address
• Host name
• Size of particular data service
• Database name
• Collections names
• Tables names
• Number of records in database
Our mission is to identify sensitive data, notify the owner or responsible parties, and prevention of further damages.
How we process exposed data
We use non-intrusive methods and never use passwords or administrative credentials to dig deeper in to accounts or databases. Any and all data that we discover could be accessed by anyone with an internet connection and a web browser. Once discovered results are then transferred internally for further analysis. The data discoveries are then safely stored internally while we verify and analyze what exactly they contain and who is impacted. We use strict data protection methods to ensure the exposed data is safe until we delete it from our possession.
Only members of our research team have access to this data.
• We ensure its security, integrity, and confidentiality.
• We securely delete all compiled data within a week after the investigation and case is closed.
• Only members of our research team have access to this data.
We believe in Responsible Disclosure Practices
We understand that technology moves faster than regulation and many companies or individuals do not keep up with best security practices. We care about the work we do and the people that have little or no control over the data that has been exposed. We employ best practices for responsible reporting and believe that our discoveries make the internet a safer place and highlight the dangers of poor cyber security.
•We keep communication channels open to allow effective collaboration during and after a discovery. This may include consulting services or additional testing.
• We identify and report the vulnerabilities we discover and notify the owner of the database. The report includes all details necessary to understand the vulnerability, including a description of the location and the potential impact of the vulnerability, the steps to reproduce it, and exploited code if any.
• We do not disclose any vulnerability until it has been safely secured or resolved.
• Vulnerabilities may be publicly disclosed after the case has been closed and the data is secured or in rare cases where every reasonable attempt was made to notify a company that refused to take action to secure their data.
We respect the sanctity of the data that is uncovered in our findings. We wish nothing more than to cooperate in good spirit and offer reasonable assurances with regard to security of the data that’s within our control. We assume no liability or responsibility for companies or organizations who publicly expose their private data online with no password protections or other security measures.