GDS working with departments to mitigate reported leak of sensitive data
Report reveals that information has been made publicly available online via an information-sharing tool widely used by government developers
A range of sensitive government documents have been freely accessible online – possibly for several years – as a result of civil servants’ use of public pages on an online information-sharing platform, according to a report.
An article in The Sunday Telegraph claims that a number of government documents from the Home Office and Cabinet Office were contained on public Trello pages could be easily found and accessed via Google searches. These included information on obtaining passes for government offices, and “details of communications with MI5 and counter-terrorism officials”, the report said.
Trello is an online project-management tool that allows people and teams to share information and documents using web-based boards.
Administrators can set boards to one of three privacy levels: private; team; or public. In the latter case, pages and content are indexed by Google – and so appear in searches, and can be accessed by any public internet user.
"The Government Digital Service and Trello are working with government departments to ensure any data breached is made secure. Trello have offered to make all government accounts private"
At time of writing, a number of government Trello boards – including some of those uncovered by the Telegraph – still appear in Google searches. None of them appear to be accessible anymore.
Trello’s own advice for removing Trello-board content from Google indexes is that, in addition to setting the board’s status to private, users should contact Google directly and request to be delisted from the search engine’s results.
“When a board is made public, Google is efficient at getting the content of that board into their index,” said Trello’s website. “They're less efficient about coming back and checking that the board is still public.”
The site added that Trello profile pages cannot be made private or hidden from Google.
It said: “Because Trello is at heart a social collaboration app, we took our cues from the major social networks like Twitter, where you can easily search people on the site, but cannot see anything more about them than what they choose to make public. This means that your name, avatar, and bio show up publicly, but not your email address, and only public boards and teams will show up on your profile.”
Trello’s use in Whitehall
Trello has been in use by the Government Digital Service and other departments and agencies for about five years.
In November 2013, a guidance document concerning the migration of government websites to GOV.UK domains advised departments that, when they reached the latter stages of their transition, “GDS will give you access to Trello, which is the tool you’ll use to manage your content’s workflow”.
In an April 2014 progress update on the Government Digital Strategy, GDS said it would be working with GCHQ to develop security accreditations for the use of a range of consumer technology tools and platforms, including Trello, but also others such as Salesforce, Box, and Google Apps.
A blog post from Civil Service Learning posted in February 2015 offered civil servants the “top six benefits of the Trello tool and tips for using it effectively”. None of these is security-related, but the blog does note that the platform simplifies the process of sharing information outside of government.
“We can easily share the board with our external commercial partners – something we can’t do with documents held on our secure Home Office systems,” the blog said.
A GDS blog published in March 2017 said that the organisation used four Trello boards, labelled planning, doing, done, and long-term vision (the 'done' board is pictured below left). Each board contained ‘cards’ for individual projects or pieces of work, and each card contained a list of updates and resources provided by users.
A number of Google Chrome plug-ins were also used by GDS “to help us optimise Trello”. An “unofficial Trello app called Corrello” was also used by the organisation to measure certain statistics on its use of the platform.
A government spokesperson said: "We take data protection very seriously, and impress upon all government departments to exercise best practice and implement suitable measures to ensure data is secure when using platforms such as Trello boards. The Government Digital Service and Trello are working with government departments to ensure any data breached is made secure. Trello have offered to make all government accounts private, to ensure data is better protected in the future.”
PublicTechnology had contacted Trello requesting comment and was awaiting response at time of going to press.
Peter Carlisle, EMEA vice president of tech firm Thales eSecurity, said “this incident should serve as a wake-up call to government departments and businesses about the risks associated with online sharing tools”.
He added: “Whilst everyone wants to see the public sector embracing the latest workplace platforms to drive efficiencies, these systems should be properly regulated to ensure sensitive information is protected and doesn’t end up indexed on search engines.”
An investigation earlier this year led by US cybersecurity journalist Brian Krebs and David Shear of threat-intelligence software firm Flashpoint found that various public-sector agencies in the US had published sensitive information on public Trello boards.
This included the Maricopa County Department of Public Health in Arizona, which hosted details of how to use its payroll system. Agencies of the US federal government’s Department of Health and Human Services had also shared sensitive details, Krebs and Shear found.
Organisation has also made significant use of contractors
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first
Department spared £10m fine despite ‘serious breach of the law’