In July 2020, Appen, a large transcription, data annotation and AI assistance company, reported unauthorised access to its systems by a third party.
Press Release from Appen Limited 31st July 2020
The relevant parts of the press release from Appen are as follows:
Appen Limited (“Appen”) (ASX:APX) is advising the market of an incident involving unauthorized access to its systems via a third-party provider. [ ] Malicious actors hacked the systems of the third-party provider and stole credentials enabling unauthorized access to Appen’s systems. [ ] Appen’s investigation has determined that the unauthorized actors gained access to Appen’s user authentication database. [ ] It contained customer and crowd names, company names, email addresses, encrypted (hashed) passwords, IP addresses, and historical login and log off times. A small percentage of records contained phone numbers.
Appen in Their Own Words
From the Appen press release in their own words this is a quick summary of the work the company undertakes: “with expertise in more than 180 languages, a global crowd of over 1 million skilled contractors, and the industry’s most advanced AI-assisted data annotation platform, Appen solutions provide the quality, security, and speed required by leaders in technology, automotive, financial services, retail, manufacturing, and governments worldwide. Founded in 1996, Appen has customers and offices around the world.“
Firefox Warning Popup – 5,000,000 Accounts Compromised
As of September 2020, Mozilla includes a popup warning when you visit the Appen website via the Firefox browser indicating that 5,000,000 Appen users details have been accessed. The following is the warning on the Firefox Monitor:
“On June 22, 2020, Appen was breached. Once the breach was discovered and verified, it was added to our database on July 30, 2020.”
The Importance of the Firefox Appen Data Breach Warning
Why is this important? In transcription terms Appen is a larger-sized player working for a wide range of clients including academic and government institutions in the UK. Appen is also a large data collator working with the world of AI – their business appears to be focused on creating a huge online resource for training AI systems by providing large teams of home workers around the world to assist in the improvement and education of artificial intelligence systems.
Why is this Breach Significant?
The data breach is significant because one of the fundamental elements of transcription work when supplying government and academic institutions is the understanding that all data, which is very often extremely sensitive, is not capable of being accessed by third parties. The data security requirements of most tenders for work are usually quite onerous as it IT security tends to be a key element by all our clients who are understandably nervous about allowing data to be transferred to a third party transcription business.
Smaller Companies – What’s the Relevance?
TP Transcription Limited is much smaller company than Appen. We are Cyber Essentials, ISO 27001 and ISO9001 accredited. We have secure systems in place, internet firewalls, our upload facilities are SSL secure and we offer all clients the use of encrypted emails. We are UK based, all our transcribers are UK or Ireland based and British or Irish nationals. Our data remains in the UK at all times and we have a unique service available for all our university clients in that we have GDPR compliant servers based in the UK (which will remain EU GDPR compliant even after the UK leaves the EU).
Any Company, Any Size
Unfortunately, the breach that Appen have experienced shows that all companies of any size can be subject to exactly the same issues of security breaches and the potential for the compromise of data. Appen will have extensive levels of security and presumably invest huge amounts of time and money in protecting their systems. After the breach they have obviously followed their ISO 27001 procedures and according to their press release they have used an external cyber forensics company to sort out the breach and ensure their security is watertight again. As they are a listed company the breach has to be reported, which is why we have the information to hand as it is publicly available.
What Does the Appen Breach Teach Us?
The breach teaches us that you can never be complacent around the issue of IT Security. In the transcription & translation business it has to be fundamental to the day to day operations of any company as all our clients rely on the ability to securely transfer data for processing, regardless of whether the data is being altered from speech to text or written records.
A Permanent Record
Appen has indicated that it has ‘bolstered its security to prevent repeat or follow-on security incidents.’ However it is currently left with the problem that whenever anyone visits parts of their website using the Firefox web browser a warning pops up to say that the site has experienced problems with 5,000,000 accounts being compromised. There is not a lot Appen can do about Mozilla logging data breaches and presumably in time the warnings will disappear.
A lesson for all transcription companies of any size – take IT security very seriously indeed…