Huddle's 'highly secure' work tool exposed KPMG and BBC files

From BBC - November 13, 2017

The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties.

A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.

Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration".

The company said it had fixed the flaw.

Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages.

"If somebody is putting themselves out there as a world-class service to look after information for you, it just should not happen," said Prof Alan Woodward, from the University of Surrey.

"Huddles contain some very sensitive information."

In a statement, Huddle said the bug had affected "six individual user sessions between March and November this year".

"With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare," it said.

As well as a BBC employee being redirected to the KPMG account, Huddle said a third party had accessed one of the BBC's Huddle accounts.

KPMG has not yet responded to the BBC's request for comment.

How was the flaw discovered?

On Wednesday, a BBC correspondent logged in to Huddle to access a shared diary that his team kept on the platform.

How did this happen?

How has Huddle addressed this?


Continue reading at BBC »