A data breach at UK-based Fresh Film Productions, which makes adverts for high-profile companies including Unilever, has exposed sensitive personal data of participants in antiperspirant brand Dove’s ‘real people’ campaign.
The company inadvertently exposed the data, which included bank details and passport scans, by leaving a company server hosted online on an unsecured Amazon Web Services S3 bucket. This meant that it could be freely accessed by anyone with an internet connection.
The server, discovered during a Verdict investigation, was immediately secured by Fresh Film upon being notified of the breach. It hosted a vast array of production files, including over 1,500 files containing sensitive data. It is not clear if the server – which appears to have been freely accessible online since at least 2018 – was accessed by cybercriminals.
The most significant exposure related to a 2017 advert for Unilever-owned Dove, known internally as Dove Men Plato. This involved 40 men, mainly residing in the UK but of four nationalities, Australian, German, Italian and Dutch, in order to produce variants on the advert for different markets.
It is one of numerous adverts run by Dove featuring non-professionals, as part of a wider campaign known as Real Beauty for the women’s market and Real Strength for the men’s market.
Richard Carter-Hounslow, producer at Fresh Film, told Verdict:
“We take things like data protection very seriously and will be looking into this matter with urgency.”
Verdict has also approached Unilever for comment, but has not yet had a response.
Passport and bank details of Dove campaign participants exposed in data breach
Personal data, including names, addresses, email addresses, telephone numbers, dates of birth and bank details were exposed for all of the men participating, as were passport scans and flight details for around half, and national insurance numbers for the majority of the other half.
The men in question are not professional actors or models and had to sign a contract affirming that they did not plan to become a professional actor or model, or behave in a manner that would “damage the reputation” of Fresh Film or Unilever.
“There’s something deeply ironic about 40 ‘real people’ volunteering to bravely expose themselves in a Dove ad campaign only to find out that your most personal information has been exposed at the same time,” said Graham Cluley, a leading independent cybersecurity expert.
“What possible excuse can there be for sensitive data like this to be stored unencrypted, let alone then left on an unsecured Amazon web bucket.
“When a traditional data breach happens, users have the option to change their passwords at the very least. Good luck changing your national insurance number, your address, your passport details, and everything else that has been left bare for anyone to see – no password required.”
Other casting documents, including transcripts of auditions, contained photographs and details about the interests of each man, which could be used by criminals, along with the personal data, to commit identity theft or fraud.
Commenting on the breach, Jake Moore, cybersecurity specialist at ESET, expressed concern at the severity of the data exposed.
“The implications of such exposed data could be catastrophic to the potential victims involved and such a large amount of personal data on each of them is more than I would usually see in a breach like this,” he said.
“Bank fraud and identity theft are naturally the first areas of concern but with this amount of data, the possibilities are endless to anyone with this volume of information at their disposal. It would take a significant amount of work to mitigate the risk but extra fraud protection on the victim’s banks would be the first port of call.”
The server also included files containing the personal data of other individuals that auditioned for the campaign but did not get selected, including names, addresses, email addresses and telephone numbers.
Fresh Film data breach impacts industry professionals
In addition to exposing the personal details of participants in the Dove campaign, the data breach also included a large number of sensitive files relating to crew, professional cast members and companies that Fresh Film works with.
This largely took the form of invoices, with those from businesses including company names, addresses and bank details, while invoices from individual cast and crew members typically including names, addresses, telephone numbers, dates of birth and national insurance numbers.
Verdict identified over 700 invoices from companies and almost 400 invoices from individual crew members, although as many individuals and companies have worked with Fresh Film multiple times, it is unclear exactly how many people are affected.
The server also contained a small number of passport scans of participants on other campaigns, mainly crew members.
The role of GDPR
As the incident involves personal data, Fresh Film will need to report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
While many of the files on the server were created before GDPR came into force on 25 May 2018, Fresh Film is likely to be liable for a fine under GDPR because the data remained freely available long after this date.
This means Fresh Film could be subject to a far greater fine for the breach than under the previous Data Protection Act, at up to 4% of global annual turnover.
This is similar to the situation with the Marriott data breach that impacted subsidiary Starwood and saw the hotel giant slapped with a £99.1m fine by the ICO. In that instance, while cybercriminals initially gained access to the company’s systems in 2014, their presence was only discovered in November 2018, after GDPR had come into effect.
“Any data breach that involves loss of personal data falls under EU GDPR and will likely be investigated by the data protection authority,” said Joseph Carson, chief security scientist at Thycotic.
“Due to the nature and sensitivity of the personal data which can easily be abused such as identity theft and financial fraud it is likely that those victims will need to replace any official documents to reduce the risks of becoming a cyber victim.”
However, as Fresh Film was working on behalf of Unilever, there is a question as to whether the latter will be liable.
“On who will be ultimately responsible for this breach, this will ultimately depend on whom those contractors were working for and how the contracts have been put together,” said Carson.
“Having experience in adverts and commercials usually the contract is between the casting agency and the actor so the responsibly is most likely limited and the advertisement client most likely has limited exposure of this type of data breach, other than potential brand damage and some data loss – though again, it is mostly depending on the contract.”
The leaky bucket problem continues
The Fresh Film data breach is the latest in a long line of data breaches that have occurred due to ‘leaky buckets’ – Amazon Web Services S3 buckets that have been incorrectly configured by the user, making them unsecured.
“Cloud misconfiguration can easily occur so therefore it needs to be double checked by the people in charge of it. If you are concerned, them simply log into the console and click on S3 and look for the ‘Public’ tag to see if any data is vulnerable to theft,” said Moore.
“AWS has taken measures to better educate its customers about proper S3 bucket configurations but the best protection is a two way street where users take on some of the responsibility themselves too.”
S3 buckets are private by default, and have been since the service first launched in 2006, meaning that users have to manually change the security settings to ‘public’.
However, many companies are still inadvertently exposing sensitive data due to incorrectly configured cloud servers, putting them at risk of being fined under GDPR.
“This type of breach again raises the need for companies to get the basic security best practices in place such as strong privileged access management and that AWS S3 buckets should have security risk assessments performed before placing any sensitive data as this is all to a common occurrence for major data breaches and this will likely not be the last one in 2020,” said Carson.
“It’s time for all firms, whether they are technology firms or not, to recognise that they have a duty of care to protect the data of their customers, their partners, their staff, and members of the public,” added Cluley.
“There will, no doubt, be other businesses being just as a cavalier as Fresh Film with their security – but the real losers are the people who have had their personal information put at risk, not the companies who were careless with the data.”
Additional reporting by Robert Scammell.