Regus spills data of 900 staff on Trello board set to ‘public’

Another company has ended up accidentally spilling sensitive data from business collaboration tool Trello.

According to a Daily Telegraph report, the company that put the boot to its own throat this time is office space company Regus, which posted performance ratings of 900 managers to a public Trello board.

Trello boards have three visibility settings: Private (visible only to board members and admins), Team (visible only to members of a specified team), and Public.

It seems the Regus parent company IWG carried out covert video assessments using researchers from a company called Applause posing as clients looking for office space.

The evaluations from this were gathered into a spreadsheet which was inadvertently set to ‘public’.

Because search engines index public Trello boards that meant that anyone with a browser could, in theory, see the data, which included names, addresses, performance ratings, and company training videos.

These would normally be shown only to the employee concerned as part of company assessments.

In addition to exposing Regus’s own staff, the personal details and email addresses of the external researchers working for Applause were also leaked. IWG issued a statement that appeared to shift the blame to the research company:

We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.

The data had now been taken down:

As our primary concern we took immediate action and the external provider has now removed the content.

Although the newspaper says this didn’t happen until they contacted IWG and Applause. It’s not clear how long the data was left in its public, exposed state.