RigUp Security Update
We were informed on April 7 by security research company vpnMentor – who seeks to expose security breaches as part of their business – that unauthorized users may have been able to access RigUp information outside of our platform. We are thankful they alerted us and we immediately secured the affected files and notified impacted users. The vast majority of the documents were public profile assets that were uploaded by users (ex. profile pictures, resumes), and less than 1% of documents contained sensitive personal information.
This was not a database or system access breach. There is no indication of unauthorized access to database, operating system, or non-public elements of the network. We can also confirm that there was no leak of passwords or banking information, which are stored in separate systems.
What files were impacted?
RigUp is a labor marketplace. Our users upload documents to their profiles such as resumes, profile pictures, work-related certifications, and insurance so they can be viewed by our network of recruiters and companies hiring skilled workers. These files were temporarily accessible.
We are conducting a full audit of our network and application security infrastructure. That includes a manual review of each file uploaded. A small group of users may have had W9 information accessible, which includes their social security number. We will be reaching out to those individuals directly.
How did this happen?
A public web storage bucket was misconfigured to allow content listing. This content is public by design and is intended to be shared and linked to without requiring a login. However, the storage bucket should not have allowed content listing, only direct file access. The presence of the smaller set of sensitive documents in this bucket was the result of the files being published in the incorrect location, and this has since been resolved.
This was not a database or system access breach. There is no indication of unauthorized access to database, operating system, or non-public elements of the network.
Are there any actions that contract workers need to take?
No further action is required from you at this time. All affected users will be contacted by RigUp.
What is RigUp doing to protect customers?
We are continuing the investigation and will be reaching out to users who are directly impacted. The security of our users’ information is always a top priority, and we will be performing an extensive audit of our network and application security infrastructure.
Can I continue to use my RigUp account? Do I need to change my password?
Password information was not affected. However, we recommend you change your password regularly as a security best practice.
I have more questions. Who can I talk to?
If you have any questions, please contact our team at firstname.lastname@example.org.