{"id":32481,"date":"2025-07-18T13:41:32","date_gmt":"2025-07-18T17:41:32","guid":{"rendered":"https:\/\/www.oxebridge.com\/emma\/?p=32481"},"modified":"2025-07-18T13:41:32","modified_gmt":"2025-07-18T17:41:32","slug":"paradox-ai-responsible-for-123456-password-breach-holds-iso-27001-and-soc2-certifications","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/paradox-ai-responsible-for-123456-password-breach-holds-iso-27001-and-soc2-certifications\/","title":{"rendered":"Paradox AI, Responsible for “123456” Password Breach, Holds ISO 27001 and SOC2 Certifications"},"content":{"rendered":"

Paradox, a Scottsdale-based company that sells AI assistant tools for large enterprises, is reported to have used a known poor password, enabling data from clients such as McDonald’s and Lockheed Martin to be compromised. Originally reported in WIRED<\/a>, McDonald’s revealed that its Paradox-powered AI chatbot “Olivia<\/em>” had been breached due to “absurdly basic<\/em>” security flaws:<\/p>\n

… the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald’s applicants\u2014including all the personal information they shared in those conversations\u2014with tricks as straightforward as guessing that an administrator account’s username and password was \u201c123456.”<\/p><\/blockquote>\n

In response, Paradox issued a public blog post<\/a> that insisted “we want to emphasize that this incident impacted one Paradox client instance<\/em>.” Brian Krebs, the security researcher and writer for Krebs on Security, has challenged that assertion, however, revealing<\/a> other troubling problems with Paradox’s lax security:<\/p>\n

However, a review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device that stole usernames and passwords for a variety of internal and third-party online services.<\/p>\n

[The] purloined credentials show the developer in question at one point used the same seven-digit password to log in to Paradox.ai accounts for a number of\u00a0Fortune 500 firms listed as customers on the company\u2019s website, including\u00a0Aramark,\u00a0Lockheed Martin,\u00a0Lowes, and\u00a0Pepsi.<\/p><\/blockquote>\n

ISO 27001 “Assurances”<\/strong><\/span><\/p>\n

Meanwhile, Paradox has held both ISO 27001 and SOC 2 security certifications since 2019, according to the company’s press releases<\/a>.\u00a0These certifications were issued by A-LIGN, which is then accredited by ANAB in the United States.\u00a0<\/span><\/p>\n

ISO 27001 requires the implementation of security controls, which are then defined in greater detail in the supporting standard, ISO 27002. The controls for passwords, as defined in ISO 27002, attempt to prevent the exact problem shown by Paradox:<\/p>\n

When passwords are used as secret authentication information, select quality passwords with sufficient minimum length which are… not based on anything somebody else could easily guess [and] free of consecutive identical, all-numeric or all-alphabetic characters.<\/p><\/blockquote>\n

ISO 27002 also requires that “encryption keys are long enough to resist brute force attacks.<\/em>”<\/p>\n

Nevertheless, third-party ISO 27001 certification was granted to Paradox and even reissued after the problem was reported. ISO 27001 certification is marketed by both A-LIGN and ANAB as being able to “assure<\/em>” the security of data and conformity to the standard, which would include those password requirements.<\/p>\n

A-LIGN repeatedly claims it “tests<\/em>” the controls defined in ISO 27001, even though typical audits rely primarily on interviews and reviews of pre-existing documentation, rather than actual testing. From the A-LIGN page<\/a> on ISO 27001 (emphasis added):<\/p>\n

Is your system conformed to the ISO 27001 standard?\u00a0<\/span>Let us\u00a0<\/span>test and confirm.<\/span><\/strong><\/em>This part\u00a0<\/span>of the audit\u00a0<\/span>includes<\/span>\u00a0interviews, inspection of documented evidence, and process observation.<\/span><\/span><\/p>\n

… we conduc<\/span>t annual surveillance audits to ensure your ongoing conformity<\/strong><\/em> with the ISO 27001 standard\u00a0<\/span>and<\/span>\u00a0give you the\u00a0<\/span>peace of mind<\/span>\u00a0that your systems and processes\u00a0<\/span>are<\/span> compliant.<\/span><\/p><\/blockquote>\n

A-LIGN then says its certification “builds a culture of information security and diligence<\/em>” and “reduces security incidents through implemented controls specific to your unique risks and assets.<\/em>”<\/p>\n

ANAB, meanwhile, has aggressively marketed its accreditation as being able to “assure<\/em>” results.<\/p>\n

\"\"<\/p>\n

ANAB went further and repeatedly marketed its accreditation as a tool companies can use in court to provide “an added layer of legal defensibility against invalid claims<\/em>.”<\/p>\n

\"\"<\/p>\n

SOC 2 Type II Assurances<\/strong><\/span><\/p>\n

In addition, Paradox holds SOC 2 certification. According to Secureframe<\/a>:<\/p>\n

SOC 2 is a security framework that specifies how organizations should protect customer data from unauthorized access, security incidents, and other vulnerabilities. The American Institute of Certified Public Accountants (AICPA) developed SOC 2 around five\u00a0Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.<\/p>\n

During a SOC 2 audit, an independent auditor will evaluate a company\u2019s security posture related to one or all of these Trust Services Criteria. Each TSC has specific requirements, and a company puts internal controls in place to meet those requirements.<\/p><\/blockquote>\n

Specifically, Paradox holds an SOC 2 “Type II<\/em>” certification, which is alleged to be more rigorous than Type I. Type II reports attest to the company’s information security practices on the basis of how the specific TSC controls perform over a period of time, typically 3-12 months. As a result, SOC 2 Type II is harder to achieve, but is marketed as being more robust.<\/p>\n

This level, as opposed to Type I, is marketed as being able to “assure<\/em>” the company’s data is protected. Per the A-LIGN website<\/a>:<\/p>\n

Assure your customers and partners you are protecting their information with a SOC 2 assessment report from the top\u00a0SOC 2\u00a0report issuer in the world.<\/p><\/blockquote>\n

And:<\/p>\n

In a SOC 2 audit,\u00a0A-LIGN\u00a0will review your policies, procedures, and systems that protect information across five categories called Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). As your independent SOC 2 auditor,\u00a0A-LIGN\u00a0evaluates the evidence you supply for the controls in each category, resulting in a SOC 2 report.<\/p>\n

The benefits of a SOC 2 report … provides assurance to your customers and partners that your systems are secure.<\/p><\/blockquote>\n

Certification Re-Issued After Public Disclosure<\/strong><\/span><\/p>\n

It raises serious questions about the veracity of both A-LIGN and ANAB marketing claims if so many audits could have been conducted on Paradox systems without anyone noticing that Paradox AI passwords had been set to “123456<\/em>,” which Paradox admitted was a “legacy password<\/em>.” Given that Paradox’s ISO 27001 certificate was initially issued in 2019, it would mean that Paradox<\/span>\u00a0underwent at least six audits by A-LIGN during that time.<\/p>\n

More troubling is the fact that, according to IAF CertSearch, the certificate to Paradox was updated by A-LIGN on July 16, 2025, after<\/strong><\/em>\u00a0<\/em>the McDonald’s passwork scandal was reported in the mainstream press.<\/span><\/p>\n

\"\"<\/a>A-LIGN also reports<\/a> it is an official C3PAO auditing body for the CMMC program, which also asserts to have the ability to prevent such incidents.<\/p>\n

In 2024, A-LIGN\u00a0began issuing ISO 42001 certifications<\/a> for AI management<\/span>\u00a0systems, also under ANAB accreditation, even though the rules for certification bodies under the ISO 42001 scheme are still in draft.<\/p>\n

History of Scandal<\/strong><\/span><\/p>\n

To date, a host of ANAB-accredited ISO 27001 certificates have been issued to companies later found to be in violation of the standard.<\/p>\n