{"id":29377,"date":"2023-10-05T10:46:38","date_gmt":"2023-10-05T14:46:38","guid":{"rendered":"https:\/\/www.oxebridge.com\/emma\/?p=29377"},"modified":"2023-10-05T18:46:38","modified_gmt":"2023-10-05T22:46:38","slug":"iso-27001-certified-company-found-leaking-childrens-data-takes-no-action","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/iso-27001-certified-company-found-leaking-childrens-data-takes-no-action\/","title":{"rendered":"ISO 27001 Certified Company Found Leaking Children’s Data, Takes No Action"},"content":{"rendered":"
\"\"

Howie Liu<\/p><\/div>\n

Airtable, a San Francisco-based IT firm with ISO 27001 certification, was discovered to be leaking the personal identifiable information (PII) on children as young as 10 due to an insecure URL, but has refused to take action on the matter.<\/p>\n

The issue was reported on LinkedIn by Harold Smith<\/a> of Virginia, in a post tagging Airtable CEO Howie Liu<\/a>. In that post, Smith wrote<\/a>:<\/p>\n

Hey, Howie Liu\u00a0your company\u00a0Airtable is leaking PII on minors. Many under the age of 10. Their name, their parents name, and their school. No one has done anything about it. Do you care enough about your compliance requirements to fix this issue?<\/p>\n

I\u2019ve tried reaching out through the vendor and seen nothing occur other than now using pen and paper. So. Here it is.<\/p><\/blockquote>\n

Smith reported he discovered a flaw within Airtable’s platform that allows anyone aware of the problem to see the full name and family information for thousands of school children.<\/p>\n

Liu has not responded.<\/p>\n

According to the Airtable website<\/a>, the problem should not exist:<\/p>\n

\n

When you visit the Airtable website or use one of the Airtable apps, the transmission of information between your device and our servers is protected using 256-bit TLS encryption. At rest, Airtable encrypts data using AES-256. Airtable servers are located in the US, in data centers that are SOC 1, SOC 2 and ISO 27001 certified.<\/p>\n<\/blockquote>\n

Oxebridge has confirmed that Airtable holds a current certificate to ISO 27001 for information security management, issued by ANAB-accredited certification body BARR Certifications<\/a> of Kansas. According to the certificate information, it was issued in January of this year, and is set to expire in 2025.<\/p>\n

\"\"<\/p>\n

It appears Airtable is in violation of clause 10.1 of ISO 27001:2013, which requires:<\/p>\n

When a nonconformity occurs, the organization shall react to the nonconformity, and as applicable, take action to control and correct it.<\/p><\/blockquote>\n

Oxebridge has reached out to Airtable and BARR Certifications for comment.<\/p>\n

\n

UPDATE<\/span> 5 October 2023:<\/strong> Within just hours of contacting Brad Theis at BARR, he replied and is working the issue. There has still been no reply from representatives at Airtable.<\/p>","protected":false},"excerpt":{"rendered":"

Airtable was found to be leaking PII for minors as young as 10, despite holding ISO 27001 certification and claiming SOC2 compliance.<\/p>","protected":false},"author":644,"featured_media":29382,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","mc4wp_mailchimp_campaign":[],"footnotes":""},"categories":[3],"tags":[8383,8385,938,8384,65,8386,8387],"class_list":["post-29377","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-airtable","tag-barr-certifications","tag-cybersecurity","tag-howie-liu","tag-iso-27001","tag-pii","tag-soc2","et-has-post-format-content","et_post_format-et-post-format-standard"],"_links":{"self":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/29377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/users\/644"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/comments?post=29377"}],"version-history":[{"count":4,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/29377\/revisions"}],"predecessor-version":[{"id":29384,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/29377\/revisions\/29384"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media\/29382"}],"wp:attachment":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media?parent=29377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/categories?post=29377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/tags?post=29377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}