OWASP Foundation Discloses Data Breach: Resumes Exposed Due to Server Misconfiguration

The OWASP Foundation has revealed a data breach resulting from the exposure of some members’ resumes online due to a misconfiguration of its former Wiki web server.

OWASP, which stands for Open Worldwide Application Security Project, is a nonprofit organization established in December 2001, dedicated to software security. With tens of thousands of members and over 250 chapters worldwide organizing educational and training conferences, OWASP is a prominent figure in the cybersecurity community.

The discovery of the Media Wiki misconfiguration occurred in late February after several support requests were made to OWASP. The breach specifically impacted members who joined the foundation between 2006 and 2014 and had submitted resumes as part of the old membership process.

According to OWASP Executive Director Andrew van der Stock, the exposed resumes contained personally identifiable information such as names, email addresses, phone numbers, and physical addresses. These resumes were collected during the early membership process, which required members to demonstrate a connection to the OWASP community during the 2006 to 2014 timeframe. However, OWASP no longer collects resumes as part of the membership process.

Affected individuals, even those who are no longer members, will be notified of the incident via email, though many of the exposed personal details may be outdated.

OWASP has taken several steps to address the data breach, including disabling directory browsing, reviewing the web server and Media Wiki configuration for other security issues, and removing all resumes from the wiki site while purging the Cloudflare cache. Additionally, OWASP has contacted the Web Archive to request the removal of the exposed resume information.

Van der Stock reassured affected individuals that OWASP has already removed their information from the internet, so no immediate action is required. However, if the information is current, such as containing a mobile phone number, caution should be exercised when responding to unsolicited emails, mail, or phone calls.