The error was discovered by a team member two days later and the key’s code was removed from GitHub.
The same employee, however, failed to fully disable and remove the old key after creating a new one. As a result, the compromised key could still be used to access ShopBack’s servers until about 15 months later.These included the e-mail addresses of about 1.4 million users, 840,000 names, 450,000 mobile numbers, 300,000 bank account numbers, and the partial credit card information of about 380,000 users.
“This position is not accepted... Organisations cannot place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data. There must be some process to ensure that the step required from the employee is taken, such as independent verification by another checker.”
To prevent the incident from happening again, ShopBack stepped up the monitoring of logs to ensure any unauthorised access would be detected.