Security Upgrade Incident
Incident Report for Plecto
Resolved
On Wednesday, 23rd of August 2017, at 11:05:14 one of our engineers released a new version of Plecto including a security update. The security update was not tested thoroughly enough and contained a bug in the part of the code that routes real-time updates to the correct TV.

This meant that as of 11:05:14 and forward, all real-time updates were sent to all TV screens across clients in Plecto and not only the correct TV. This includes widget updates as well as notifications. This means that most of our connected TVs received notifications from different customers as well as widgets that did not belong to the dashboards they had open.

At 11:06:23 we discovered that the security update contained an issue and immediately rolled back the change and at 11:06:28 the issue was resolved.

A few minutes later we issued a "re-load" command to all TVs connected to Plecto in order to clean any data that had been pushed, effectively deleting any data that had been sent earlier.

Unfortunately, we do not log updates to widgets and therefore it is not possible to say what exactly was sent during the one minute frame. However, as the data came from different dashboards, the widgets were placed on top of each other, making it practically impossible to read any of it.

In case it is not completely clear - no one had access to your actual dashboards, data sources, users, formulas or anything else. The only things that were transmitted are individual widgets which updated in the one minute interval as well as notifications.

We have no reason to believe that any of the data we sent has been saved before we had a chance to delete it again and we have no reason to believe anyone could have understood any of the data that was transmitted, as it would have only been fractions of widgets that were visible.

Data security remains our highest priority and we have taken every step necessary to ensuring your data remains safe with us. As a direct consequence of this incident, we are putting new safety measures in our code deployment process. This incident happened in one of our older components. We are going to completely re-write this and any other critical components to ensure there are multiple checks in place.

If you have any questions about the above, our data security or anything else please contact us at support@plecto.com, via chat or via phone: +45 71997160 or +1 (646) 693-8860
Posted about 1 year ago. Aug 23, 2017 - 18:24 CEST