There’s a whole lot to parse out when it comes to this CNBC story about a supposed data leak on the CBS app during March Madness, but essentially, it appears to come down to a he said, he said story, and one where it’s hard to evaluate who’s right. Michael Covington, vice president of product at Wandera (a company focused on providing secure mobile data services), told CNBC’s Jessica Golden that his company found a data leak in CBS’ app, while CBS denies any leak and took a shot at Wandera “publicizing the security operations of other firms for their own purposes.” Here are the competing comments:
Mobile data management and security firm Wandera said it found a data leak on the CBS Sports app and mobile website during the college basketball tournament, allowing user data to possibly be compromised.
CBS Sports denied any breach.
“We know that information was leaked. Anyone who is using their mobile device on a public Wi-Fi would have been exposed,” said Michael Covington, vice president of product at Wandera.
…Wandera said CBS Sports failed to properly encrypt its site and app. “This does not mean that the app or website was breached by an attacker. Instead, the app/site development teams simply failed to use encryption to protect the user’s sensitive data,” said Covington.
The report found that both Android and iOS versions of the CBS Sports app and the CBS mobile website failed to protect user names, dates of birth, email addresses, account passwords in clear text, and ZIP codes during the registration.
“Once you have that information, you have the keys to the kingdom,” said Covington.
CBS Sports denied the claims of a data breach and said it is rigorous about monitoring its platforms for any potential security issues. “There was no data breach on either the CBS Sports app or mobile site,” CBS Sports Digital said in a statement. “We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection.”
So, this essentially appears to come down to Wandera saying CBS’ standards are insufficient (and hey, maybe they should hire Wandera to do security for them!) and CBS saying nothing happened here and Wandera is just trying to get attention. Where this gets even more interesting is when it comes down to the claim that Wandera notified CBS of a vulnerability and CBS updated in response, though:
Wandera said it came across the alleged vulnerability unexpectedly, while doing research on sports applications ahead of March Madness. As its engineers tracked data across various sports sites, they noticed unprotected data coming across its cloud service from CBS.
Once they discovered it, Wandera said, it immediately notified the network. It took about a month, but CBS notified Wandera the bug had been fixed, the security firm said.
If CBS actually did take action to fix this “bug” as Wandera claims, then Wandera’s claims would seem to have some merit; that would suggest that the initial CBS approach was insufficient. However, that doesn’t translate into Covington’s comment that “We know that information was leaked,” and that comment also seems odd in comparison next to his later comment that “This does not mean that the app or website was breached by an attacker.” That seems to be indicating that there was a chance of someone picking up on this information, not that “we know that information was leaked.”
Anyway, it all adds up to an argument between CBS and this security company. If CBS app users don’t buy the company’s defense, this may turn into something larger, and the company may take substantial flack for denying this and trying to shrug it off. For now, though, it appears to be just Wandera saying there was a problem (and, as CBS notes, they have very self-interested reasons to do so). If there was a real problem here, the scale would make it a potentially big one; the CBS app has 5-10 million downloads on Google Play and plenty more on iOS. We’ll have to wait and see if more develops on this front.