Howie Liu

Airtable, a San Francisco-based IT firm with ISO 27001 certification, was discovered to be leaking the personal identifiable information (PII) on children as young as 10 due to an insecure URL, but has refused to take action on the matter.

The issue was reported on LinkedIn by Harold Smith of Virginia, in a post tagging Airtable CEO Howie Liu. In that post, Smith wrote:

Hey, Howie Liu your company Airtable is leaking PII on minors. Many under the age of 10. Their name, their parents name, and their school. No one has done anything about it. Do you care enough about your compliance requirements to fix this issue?

I’ve tried reaching out through the vendor and seen nothing occur other than now using pen and paper. So. Here it is.

Smith reported he discovered a flaw within Airtable’s platform that allows anyone aware of the problem to see the full name and family information for thousands of school children.

Liu has not responded.

According to the Airtable website, the problem should not exist:

When you visit the Airtable website or use one of the Airtable apps, the transmission of information between your device and our servers is protected using 256-bit TLS encryption. At rest, Airtable encrypts data using AES-256. Airtable servers are located in the US, in data centers that are SOC 1, SOC 2 and ISO 27001 certified.

Oxebridge has confirmed that Airtable holds a current certificate to ISO 27001 for information security management, issued by ANAB-accredited certification body BARR Certifications of Kansas. According to the certificate information, it was issued in January of this year, and is set to expire in 2025.

It appears Airtable is in violation of clause 10.1 of ISO 27001:2013, which requires:

When a nonconformity occurs, the organization shall react to the nonconformity, and as applicable, take action to control and correct it.

Oxebridge has reached out to Airtable and BARR Certifications for comment.

UPDATE 5 October 2023: Within just hours of contacting Brad Theis at BARR, he replied and is working the issue. There has still been no reply from representatives at Airtable.

Advertisements
Surviving ISO 9001 Book

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.