OWASP issues data breach alert after misconfigured server leaked member resumes

Cyber security concept image showing digitized padlock sitting on a computer circuit board.
(Image credit: Getty Images)

The Open Worldwide Application Security Project (OWASP) is warning current and former members their data may have been breached due to a misconfiguration of an old Wiki web server.

OWASP provides resources, tools, and documentation to help organizations develop, deploy, and maintain secure IoT, system software, and web application security. Founded in 2001, the non-profit has tens of thousands of members around the world.

Now, many of those early members are being warned that their personal data may have been exposed thanks to a misconfiguration of the Wiki web server holding their resumes.

Those joining between 2006 and 2014 were asked to provide a resume in order to demonstrate a connection to the OWASP community - and it's these members that are affected by the breach.

The resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information.

"If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach," said OWASP executive director Andrew van der Stock.

The problem was discovered in late February, when, after receiving a number of support requests, the OWASP Foundation became aware of a misconfiguration of OWASP’s old Wiki web server.

The non-profit assured members that current membership data is protected by cloud-based security best practices, such as two-factor authentication, minimal access, and resiliency.

OWASP added that it no longer collects resumes from prospective members, and now collects only minimal information to minimize any potential data loss in the future.

Many of those affected have now left OWASP, and the data is at least ten years old, making it difficult for OWASP to track them all down. However, van der Stock said the organization will do its best to contact all those affected.

If the data includes any current information, such as phone numbers, he warned, members should be particularly alert to the possibility of scam calls.

OWASP has done all it can to rectify the breach, according to van der Stock. The organization has reviewed its data retention policies, and will implement additional security measures to prevent further breaches in future.

"We have disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, removed the resumes from the wiki site altogether, and purged the CloudFlare cache to prevent further access," he said.

"Lastly, we have requested that the information be removed from the Web Archive."

In a comment on X, the foundation wryly stated "we recognize the unfortunate irony here, and are determined to make it our last breach."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.