An investigation into WeWork’s shared WiFi networks has unearthed serious security vulnerabilities, as well as a lack of urgency from the short-term office rental company to address the concerns.
The investigation, published by CNET, found that more than 650 devices – everything from computers, to servers, to coffee machines – were exposed on the network in one WeWork building, and were leaving “astronomical” amounts of data vulnerable to exploitation.
By scanning the WiFi network for data, it was possible to gain access to everything, including emails, financial records and banking credentials.
Teemu Airamo, who discovered the vulnerability after his company moved into a WeWork office in 2015, claimed to have asked the building’s community manager if he was aware of the vulnerability. Their response was “yeah, eh”, Airamo said.
Airamo has continued to run scans in the four years since. He has also contacted WeWork’s upper management, but no changes have been made.
WeWork data security puts WeWork customers at risk
This lack of protection puts WeWork customers at serious risk of suffering data breaches if they aren’t putting additional protections in place.
“Scanning Wi-Fi for data is ridiculously easy to carry out for a threat actor and, therefore, should be treated as a high-risk vulnerability,” Jake Moore, cybersecurity specialist for ESET, explained. “Data leaks are extremely likely in open network situations and shouldn’t be turned a blind eye on.”
According to Moore, while startups might not have considered the potential risks in the past, this is something they must now seriously consider before setting up shop in a shared workspace.
“Sharing anything digital with another company will naturally come with a security risk, but people still tend to overlook protection and privacy when it comes to convenience and ease.”
Tony Pepper, CEO of software company Egress, shares Moore’s view. While shared workspaces offer a cheap and convenient place to work, startups need to understand the compromise that they’re making.
“Real-estate-as-a-service doesn’t automatically give strong IT-security-as-a-service,” Pepper stressed. “Startups gravitate to the immediacy of shared workplaces but need to appreciate that universally shared networks just aren’t secure let alone compliant to the myriad of data handling regulations they face.”
“The risks of leakage files, emails, intellectual property, HR data, and customer data that are easily exploited in the wrong hands is huge.”
The CNET investigation follows the news that WeWork had been using an easily guessable password to secure its buildings. The same password had been used to secure locations around the world and wasn’t changed for years. And, according to Fast Company, who broke the story, the same password regularly appears on lists of the most common and worst possible passwords.
According to Moore, poor password habits provide threat actors with an easy means of stealing valuable data from businesses, without even having to enter their office building.
“Many companies use standard Wi-Fi passwords, which rarely get changed and are often related to the business itself,” Moore explained. “This means with long-range Wi-Fi coverage, hackers could potentially travel around outside companies’ buildings siphoning all sorts of company secrets and other data.”
Poor data security could hit WeWork’s IPO value
The investigation comes a month after WeWork released its prospectus detailing its plans for an initial public offering, which valued the company at $47bn – a move described as “one of the most courageous IPOs of recent memory” by Chris Beauchamp, chief market analyst for IG.
WeWork has since postponed its IPO as investor sentiment soured, sending its estimated value below $15bn.
The company has said that it still expects to go public by the end of the year, but news of its data security practices could further damage investor interest before then. According to Mike O’Malley, vice president of carrier services for cybersecurity firm Radware, investors are now likely to consider a company’s cybersecurity practices when valuing a pre-IPO company:
“Investors now factor cybersecurity in both the valuation and due diligence of pre-IPO companies like WeWork.
“WeWork’s inadequate measures toward data protection exposes them to more than just risk of a data breach, but it also has the potential to devalue it in this critical pre-IPO stage.”
Regulators around the world have implemented, or are in the process of implementing regulations that punish businesses for poor data security practices. The European Union’s General Data Protection Regulation (GDPR), which has seemingly set a precedent for others to follow, sets a maximum fine of €20m or up to 4% of global annual turnover for non-compliance.
However, these incidents have the potential to wipe a far greater value off of a company’s stock price.
British Airways’ parent company International Airlines Group saw its share price drop by more than 4% after disclosing a breach in 2018 that compromised the payment details of 380,000 of its customers. With a market cap of approximately £9.5bn, 4% of its value equates to around £380m.
If WeWork was to achieve its $47bn valuation, 4% would equate to around $1.9bn – more than enough to concern investors.