A state-owned French transportation giant has inadvertently exposed nearly 60,000 employees to identity fraud after leaking their personal information via an unsecured HTTP server, according to researchers.
A team at vpnMentor found the server on October 13, and deduced from the file names that the culprit was Régie Autonome des Transports Parisiens (RATP), which runs public transport across the French capital and beyond.
The organization apparently never replied to the team, but the French CERT was more responsive and shut the privacy snafu down “shortly after.”
Among the data were full names, email addresses, logins for their RATP employee accounts and MD5-hashed passwords.
