A data breach at UK-based Fresh Film Productions, which makes adverts for high-profile companies including Unilever, has exposed sensitive personal data of participants in antiperspirant brand Dove’s ‘real people’ campaign.

The company inadvertently exposed the data, which included bank details and passport scans, by leaving a company server hosted online on an unsecured Amazon Web Services S3 bucket. This meant that it could be freely accessed by anyone with an internet connection.

The server, discovered during a Verdict investigation, was immediately secured by Fresh Film upon being notified of the breach. It hosted a vast array of production files, including over 1,500 files containing sensitive data. It is not clear if the server – which appears to have been freely accessible online since at least 2018 – was accessed by cybercriminals.

The most significant exposure related to a 2017 advert for Unilever-owned Dove, known internally as Dove Men Plato. This involved 40 men, mainly residing in the UK but of four nationalities, Australian, German, Italian and Dutch, in order to produce variants on the advert for different markets.

It is one of numerous adverts run by Dove featuring non-professionals, as part of a wider campaign known as Real Beauty for the women’s market and Real Strength for the men’s market.

Richard Carter-Hounslow, producer at Fresh Film, told Verdict:

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“We take things like data protection very seriously and will be looking into this matter with urgency.”

Verdict has also approached Unilever for comment, but has not yet had a response.

Passport and bank details of Dove campaign participants exposed in data breach

Personal data, including names, addresses, email addresses, telephone numbers, dates of birth and bank details were exposed for all of the men participating, as were passport scans and flight details for around half, and national insurance numbers for the majority of the other half.

The men in question are not professional actors or models and had to sign a contract affirming that they did not plan to become a professional actor or model, or behave in a manner that would “damage the reputation” of Fresh Film or Unilever.

“There’s something deeply ironic about 40 ‘real people’ volunteering to bravely expose themselves in a Dove ad campaign only to find out that your most personal information has been exposed at the same time,” said Graham Cluley, a leading independent cybersecurity expert.

“What possible excuse can there be for sensitive data like this to be stored unencrypted, let alone then left on an unsecured Amazon web bucket.

“When a traditional data breach happens, users have the option to change their passwords at the very least. Good luck changing your national insurance number, your address, your passport details, and everything else that has been left bare for anyone to see – no password required.”

Other casting documents, including transcripts of auditions, contained photographs and details about the interests of each man, which could be used by criminals, along with the personal data, to commit identity theft or fraud.

Commenting on the breach, Jake Moore, cybersecurity specialist at ESET, expressed concern at the severity of the data exposed.

“The implications of such exposed data could be catastrophic to the potential victims involved and such a large amount of personal data on each of them is more than I would usually see in a breach like this,” he said.

“Bank fraud and identity theft are naturally the first areas of concern but with this amount of data, the possibilities are endless to anyone with this volume of information at their disposal. It would take a significant amount of work to mitigate the risk but extra fraud protection on the victim’s banks would be the first port of call.”

The server also included files containing the personal data of other individuals that auditioned for the campaign but did not get selected, including names, addresses, email addresses and telephone numbers.

Fresh Film data breach impacts industry professionals

In addition to exposing the personal details of participants in the Dove campaign, the data breach also included a large number of sensitive files relating to crew, professional cast members and companies that Fresh Film works with.

This largely took the form of invoices, with those from businesses including company names, addresses and bank details, while invoices from individual cast and crew members typically including names, addresses, telephone numbers, dates of birth and national insurance numbers.

Verdict identified over 700 invoices from companies and almost 400 invoices from individual crew members, although as many individuals and companies have worked with Fresh Film multiple times, it is unclear exactly how many people are affected.

The server also contained a small number of passport scans of participants on other campaigns, mainly crew members.

The role of GDPR

As the incident involves personal data, Fresh Film will need to report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.

While many of the files on the server were created before GDPR came into force on 25 May 2018, Fresh Film is likely to be liable for a fine under GDPR because the data remained freely available long after this date.

This means Fresh Film could be subject to a far greater fine for the breach than under the previous Data Protection Act, at up to 4% of global annual turnover.

This is similar to the situation with the Marriott data breach that impacted subsidiary Starwood and saw the hotel giant slapped with a £99.1m fine by the ICO. In that instance, while cybercriminals initially gained access to the company’s systems in 2014, their presence was only discovered in November 2018, after GDPR had come into effect.

“Any data breach that involves loss of personal data falls under EU GDPR and will likely be investigated by the data protection authority,” said Joseph Carson, chief security scientist at Thycotic.

“Due to the nature and sensitivity of the personal data which can easily be abused such as identity theft and financial fraud it is likely that those victims will need to replace any official documents to reduce the risks of becoming a cyber victim.”

However, as Fresh Film was working on behalf of Unilever, there is a question as to whether the latter will be liable.

“On who will be ultimately responsible for this breach, this will ultimately depend on whom those contractors were working for and how the contracts have been put together,” said Carson.

“Having experience in adverts and commercials usually the contract is between the casting agency and the actor so the responsibly is most likely limited and the advertisement client most likely has limited exposure of this type of data breach, other than potential brand damage and some data loss  – though again, it is mostly depending on the contract.”

The leaky bucket problem continues

The Fresh Film data breach is the latest in a long line of data breaches that have occurred due to ‘leaky buckets’ – Amazon Web Services S3 buckets that have been incorrectly configured by the user, making them unsecured.

“Cloud misconfiguration can easily occur so therefore it needs to be double checked by the people in charge of it. If you are concerned, them simply log into the console and click on S3 and look for the ‘Public’ tag to see if any data is vulnerable to theft,” said Moore.

“AWS has taken measures to better educate its customers about proper S3 bucket configurations but the best protection is a two way street where users take on some of the responsibility themselves too.”

S3 buckets are private by default, and have been since the service first launched in 2006, meaning that users have to manually change the security settings to ‘public’.

However, many companies are still inadvertently exposing sensitive data due to incorrectly configured cloud servers, putting them at risk of being fined under GDPR.

“This type of breach again raises the need for companies to get the basic security best practices in place such as strong privileged access management and that AWS S3 buckets should have security risk assessments performed before placing any sensitive data as this is all to a common occurrence for major data breaches and this will likely not be the last one in 2020,” said Carson.

“It’s time for all firms, whether they are technology firms or not, to recognise that they have a duty of care to protect the data of their customers, their partners, their staff, and members of the public,” added Cluley.

“There will, no doubt, be other businesses being just as a cavalier as Fresh Film with their security – but the real losers are the people who have had their personal information put at risk, not the companies who were careless with the data.”

Additional reporting by Robert Scammell.

Read more: Average cost of a data breach jumps 12% to $3.92m: IBM study

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up