San Francisco Employees’ Retirement System notifies employees of contractor breach
The San Francisco Employees’ Retirement System has been notifying people about a breach. From their notification, this explanation of what happened:
The Retirement System contracts with vendors to provide SFERS members with on‐ line access to their account information. One of the vendors, 10up Inc., set up a test environment on a separate computer server which included a database containing data from approximately 74,000 SFERS member accounts as of August 29, 2018. The server data was not subsequently updated.
On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party on February 24, 2020. The vendor promptly shut down the server and began an investigation. The vendor found no evidence that the information of SFERS members was removed from its server, but at this time, it cannot confirm that the information was not viewed or copied by an unauthorized party. On March 26, 2020, the vendor notified SFERS of the server breach and both SFERS and the vendor continue to investigate the potential exposure of data.
I’m not sure I understand what that explanation means. Was the test environment database left unsecured and someone found it and notified them on March 21, or was it hacked, or…? And why can’t the vendor confirm whether there had been access? Did they not have adequate audit/access controls on it?