Ateam, a Japanese company that creates software and entertainment content for mobile devices, reported about a potential leak of the personal information of nearly a million customers, partners, and employees due to incorrect permissions on one of its Google Drive instances.
The company first warned about the possibility of a data breach earlier this month but confirmed it via a follow-up announcement after the conclusion of the relevant internal investigation.
Ateam discovered on November 21, 2023, that the permissions of one of its Google Drive cloud instances were set to allow anyone on the internet with a valid link to the files to view them. This means those knowing the URL could access sensitive personal data without a password. The misconfiguration occurred in March 2017, so the exposure period is nearly five years.
The information that was exposed impacts 935,779 people and includes the following:
- Full names
- Email addresses
- Customer management numbers
- Physical addresses
- Phone numbers
- Terminal identification numbers
The exposure impacts customers who have used Ateam services and users of its mobile applications, business partners who were contracted or even had correspondence with the group, interns, job applicants, and current and former/retired employees.
Ateam began sending notifications of a data breach to exposed individuals on December 20, 2023 and informed the Japanese data protection authorities of the data breach.
Google Drive exposure possibility
At this time, the company has not seen any signs of the data having been exposed to unauthorized parties, leaked on online platforms such as hacking forums or the dark web, and misused to conduct impersonation and fraud.
“At the time of this announcement, there has been no confirmation whether any unauthorized use of data or other damages have occurred. We ask those who were potentially affected to be careful with any suspicious inquiries. We will make every effort to prevent the damage from spreading.”
Ateam
It is unlikely for someone to randomly find the specific URL to the Google Drive instance, but current or former company employees could have leaked or shared it with others. Moreover, while web crawlers generally don’t access or index private Google Drive links unless they are publicly shared or linked from a public website, if the permissions are set to allow anyone to view the files, they could potentially find and index the content, making it discoverable through search engines.