OWASP, the Open Worldwide Application Security Project Foundation, has revealed a data breach stemming from a misconfiguration of its old Wiki web server. This breach exposed the resumes of certain members, spanning from 2006 to 2014, leading to the exposure of personally identifiable information such as names, contact details, and physical addresses. Although OWASP has taken steps to address the breach, including disabling directory browsing and removing resumes from the wiki site, affected individuals are advised to remain vigilant.
The incident, discovered in late February following support requests, primarily affected members who joined OWASP between 2006 and 2014 and submitted resumes as part of the membership process. OWASP’s Executive Director, Andrew van der Stock, acknowledged the exposure of personal information and clarified that the foundation no longer collects resumes during the membership process. While OWASP will notify affected individuals via email, many of them are no longer members, and the exposed information may be outdated.
In response to the breach, OWASP has implemented various measures to mitigate further access, including reviewing web server configurations, purging the Cloudflare cache, and requesting the removal of exposed resume information from the Web Archive. Van der Stock emphasized that OWASP has already removed affected information from the internet and advised individuals to exercise caution if their personal information is still current. Despite these efforts, the breach underscores the importance of robust security measures and ongoing vigilance to safeguard against data breaches and privacy risks.
