I worked at scaleway.<p>This whole post is basically bullshit, "secure" transporation meant taking a random electric car (renault zoe) at the company headquarters or at DC5 and throwing hardware in the trunk.<p>No security in place whatsoever, servers laying in datacenter hallways fully loaded with disks, accessible to anyone.<p>Most of the company had access to the back office where they could just access customers' data without any kind of logging. (Internally this was called sudo mode on the online console, we had basically to click on a button to log as any customer).<p>The "funniest" was the corporate vpn network being shared by the internal datacenter network which meant any employee had, for instance, full access to all the home made switches management interfaces which had no access control whatsoever, it happened that employees stumbled accross this and wondering what it was (LOL), there was even a button to upload and flash (!) a firmware.<p>The upper-management was terribly incompetent and would discard any kind of issue that was not affecting sales in the immediate term as not important (security or otherwise).
Apparently with plaintext customer data.<p>>
Lechelle said Scaleway worked with the YouTuber to recover the disk. The French-language video creator has written to Scaleway with assurances they have not copied the information contained on the disk. It is said some customer data was on the drive, unencrypted, including the source code and SSH keys of an Italian VPS provider.
On their website they refer to multiple certification [0].
One of them is the CISPE and on their website, it is stated:<p>"Requirement for CISP:<p>(a) Security measures<p>The CISP will implement and maintain appropriate technical and organisational measures for the CISP’s data centre facilities, servers, networking equipment and host software systems that are within the CISP’s control and are used to provide the CISP’s service (the CISP Network). Those technical and organisational measures should (a) be designed *to help customers secure personal data against unauthorised processing and accidental or unlawful loss, access or disclosure*, and (b) address the security responsibilities of the CISP as set out in Annex A (Security Responsibilities)." [1]<p>I do not know about others certifications, but this situation seems to be a clear violation of one of the requirement for CISP. Answer to this requirement is disk encryption. Moreover they are authorized to store medical records and data. I can't imagine that they do this without providing proper disk encryption. in the light of this event, I'm not sure they qualify for all these ceertifications.<p>[0] <a href="https://www.scaleway.com/fr/a-propos/" rel="nofollow">https://www.scaleway.com/fr/a-propos/</a><p>[1] <a href="https://cispe.cloud/code-of-conduct/" rel="nofollow">https://cispe.cloud/code-of-conduct/</a>
> The CEO said recovering the disk helped the authorities to advance their investigations into the heist, and meant the company felt able to publicly disclose the theft.<p>Aka they could no longer sweep it under the rug.
The things that are not clear to me are:<p>- Why was the disk being replaced (SMART warnings? HW upgrade? It failed in some way)<p>- Why was the quick format recoverable? Was TRIM issued or the HW didn't support it?<p>- As a follow up, I'm guessing the HW didn't support HW encryption?<p>- Why are they relying on 3rd parties for the destruction of data?<p>Meanwhile, it seems that HDs don't leave Google datacenters in one piece
The timeline of events in Scaleway's blog post is very dubious.<p>If the SSD was stolen over one year ago why do they only acknowledge it now?<p>In March 2021 [1] they were writing about how great their security was:<p><i>> We are proud of our data centers and their security. We consider that we have implemented the best solutions to protect your most valuable asset: your data. We are well aware of the huge responsibility this represents. There can be no compromises when it comes to your data.</i><p>Why were customers whose data was leaked only informed in June 2021? The delay of over 1 year is a huge GDPR issue.<p>The timeline of the incident from public sources:<p>21 May 2021: Micode tweets a screenshot of the directory listing [2]<p>26 May 2021: First video on the subject [3]<p>6 June 2021: Scaleway customer is notified their data was leaked [4]<p>21 July 2021: Second video on the subject [5]<p>24 July 2021: Third video on the subject [6]<p>24 July 2021: Scaleway releases a French blog post stating "Over a year ago, an SSD was stolen" [7]<p>Storing the data unencrypted is bad, but IMHO Scaleway's handling of the incident creates much bigger questions about their credibility.<p>[1] <a href="https://blog.scaleway.com/how-we-protect-your-data/" rel="nofollow">https://blog.scaleway.com/how-we-protect-your-data/</a><p>[2] <a href="https://mobile.twitter.com/Micode/status/1395640486715662336" rel="nofollow">https://mobile.twitter.com/Micode/status/1395640486715662336</a><p>[3] <a href="https://www.youtube.com/watch?v=vt8PyQ2PGxI" rel="nofollow">https://www.youtube.com/watch?v=vt8PyQ2PGxI</a><p>[4] <a href="https://www.lowendtalk.com/discussion/comment/3258386/#Comment_3258386" rel="nofollow">https://www.lowendtalk.com/discussion/comment/3258386/#Comme...</a><p>[5] <a href="https://www.youtube.com/watch?v=aOBVZUL1iBA" rel="nofollow">https://www.youtube.com/watch?v=aOBVZUL1iBA</a><p>[6] <a href="https://www.youtube.com/watch?v=xf_cKTlOYLo" rel="nofollow">https://www.youtube.com/watch?v=xf_cKTlOYLo</a><p>[7] <a href="https://blog.scaleway.com/incident-securitaire-video-youtube/" rel="nofollow">https://blog.scaleway.com/incident-securitaire-video-youtube...</a><p>Previous discussion: <a href="https://news.ycombinator.com/item?id=27957471" rel="nofollow">https://news.ycombinator.com/item?id=27957471</a>