Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Orvis says the exposure was inadvertent, and that many of the credentials were already expired.
Jonathan Deveaux, head of enterprise data protection at comforte AG, commented:
“Each newly reported data breach or data exposure incident brings to light how much access some employees have, and also, what are some not-so-well-known places where exposed data or credentials may show up. Some privileged employees may certainly have a need or directive to possess ‘keys to the technology kingdom.’ They may also find it challenging to keep the dozens of user names and passwords securely managed, yet accessible, to perform their day-to-day responsibilities. But it is clear that organizations need additional data protections beyond access safeguards to ensure their ‘crown jewels’ are kept secured. Orvis is fortunate that no reports of customer data were leaked, as this 160-year-old retailer may have had to answer data privacy questions as cited in several regulations in jurisdictions in which they do business.”