Announcement: Accidental Release of Business-In-Confidence Information

On January 29th, 2023, SCA Inc. Information Technology was notified by concerned members that the archives of the SCA-Comments list serve were accessible to the public. Although it is not the designated reporting channel, the comments email address has, at times, been used as a harassment and discrimination reporting vehicle. Subsequently, the breach had the potential to jeopardize a victim’s right to privacy and SCA Inc’s responsibility of protection for them. Upon receipt of this information, my team immediately acted to shut down the breach. However, data had been exposed long enough that several search engines had crawled and archived the data. The extent of this security breach was emails sent to SCA-Comments@lists.sca.org between April of 2022 and January of 2023.

The initial exposure was contained within a few hours of notification. Over the next couple of days other avenues of exposure to the same and similar data were found and locked down. My team began the process of getting the search engines to remove their archives of the information. At this point, we believe all access to that data has been removed and we feel that publishing this information will not cause further risk to any individuals concerned or the organisation.

The root cause of the breach was a misconfigured archive setting when the email address for comments was changed last year. To prevent further similar occurrences, SCA-comments has been moved entirely off the list serve system. The correct email address for comments is “SCA-comments@sca.org” (although the ‘lists.sca.org’ address will still work for now). This has been active for some time.

SCA Inc. Information Technology apologizes for any alarm or inconvenience anyone may have suffered because of this breach. Particular thanks go to Matthew Simon Ryan Cavalletto (Mathghamhain Ua Ruadháin) for initially alerting us to and helping assess the scope of the issue.

Anyone wishing to further discuss this matter should contact me (it@sca.org) and John Fulton, SCA Inc. President (president@sca.org).

Sam Davis, Manager, Information Technology

 

Accidental Release of Business-In-Confidence Information