I Don't Think I Was Supposed to See That

by lg0p89

Data security at times is underrated.  Unauthorized persons viewing material is bad enough, however, when you add in the material being from senior management, you have a recipe for issues and people feeling badly.  One area for this leakage has been with documents.  At least two businesses I consulted with have been Microsoft shops.  This gives the curious ample areas to peruse for fun.

One of these apps is Delve.  If you happen to have a bit of spare time, for example a Friday after lunch when everyone is in a food coma, take a quick look around.  Finding this, if you haven't already had the pleasure, is easy (open the Office app and you'll see Access, Calendar, Delve, Excel, etc.).  Just check on that happy Delve icon.  Here you'll see Home, Me, Favorites, and People.  To get to the juicy bits, click on People.  Here you'll see your command/management structure.  Now the fun begins.

First, take a look at your documents.  You'll see the documents you have emailed and worked on recently.  Now, if you are brave enough, you can look at other people by clicking on the other people you work with to see what they have emailed, authored, or modified recently.  (Warning: they may become irritated if/when they find out with the system.)  That is an awfully large range of documents to let others simply have access to.

The first place I noticed this was at a manufacturing company.  I was a little bored and began tooling around, seeing what I could see.  In my adventure, I saw the CISO's name and thought it might be interesting to check out what was new.  Yes, indeed there were a number of documents I probably should not have seen.  These included budgets and other documents well above my pay grade.

Naturally being curious, this clicking activity was done at the next place.  If it worked once, twice certainly should be the charm.  Well, it worked again.  This time, I was a bit more adventurous.  I was able to see the documents for the CEO and COO, as well as human resources and other management members.  Just by clicking a few items and not doing anything exciting or using mental gymnastics, I was seeing purchase orders, resumes for applicants and staff, research papers, bids, policies, incident responses, and many other items that should have been confidential, yet anyone could look at them.  Fortunately for me, I was also able to see co-workers' documents.

The Delve disclaimer on the screen says that you, the user, can only see files/documents you have access to.  This sounds very official and makes it seem as if there have been rules put into place to limit access based on the user's role, position, or work group.  Not really.  You tend to have access to most documents as the target doesn't know about limiting who has access to these or toggling this function to confidential.  This may be the case in IT, but not with operations.  It is likely their staff outside of IT are relatively clueless regarding the issue.  To mitigate this involves more than clicking one button.

In my case, this was reported to IT as a potential problem.  As a responsible researcher, this was appropriate.  Was this fixed or at least mitigated in some fashion?  No.