21 million employee screenshots leaked in bossware breach blunder

If you thought only your boss was peeking at your work screen, think again.

As Cybernews reports, employee-monitoring tool Work Composer has committed a jaw-dropping blunder, leaving a treasure trove of millions of workplace screenshots openly accessible on the internet with no encryption in place, and no password required.

Over 21 million images of capture employees’ screens – along with usernames, IP addresses, and device details, were left sitting on an unsecured Amazon S3 storage bucket.

A tool which was intended to, amongst other things, monitor unusual or suspicious behaviour by over 200,000 workers around the globe has itself leaked secret and sensitive information to anyone who went looking for it.

Work Composer’s website claims that it understands that “security is paramount” for its enterprise customers, and that it uses “industry-leading security measures” to ensure the protection and integrity of clients’ data.

However, as Cybernews points out, internal emails, internal chats, API keys, confidential business documents, usernames, passwords that “could be exploited to attack businesses worldwide” were left unsecured.

According to Cybernews, it informed Work Composer of its serious security problem – and access to the sensitive information has now been properly secured.

But you can’t help but wonder – who might have been able to access the millions of screenshots beforehand?

Work Composer is a form of “bossware” – software designed to track employee activity by recording keystrokes and periodically snapping screenshots of their screens.

Like “stalkerware,” I don’t believe that anyone who has bossware installed on their computers is keen on the idea.

Bossware is used by companies to gauge staff productivity, and to determine is people are “doing what they should be doing.” But in this case, it was the Work Composer bossware that was misbehaving – leaving sensitive captured data wide open for anyone to access.

What started as an attempt by companies to keep their employees productive has turned into a case study in how not to handle sensitive data. It only takes one screenshot showing a password or confidential deal to spark a major breach or assist a corporate espionage attempt.

Many businesses may be tempted to deploy bossware surveillance tools, watching over staff members’ shoulders to ensure they are doing their jobs correctly and working productively – especially as more and more people work remotely.

But if the companies developing the bossware fail to practice basic security practices themselves, they risk putting everyone in danger.

It’s not even as if this is the first time that a bossware company has been caught out by a security snafu. Earlier this year, for instance, an Amazon S3 web bucket belonging to bossware firm WebWork Tracker was found to have been left unsecured despite containing – yup… you guessed it! – sensitive screenshots from remote workers’ computers.

You have to begin to wonder – is bossware going to actually help your business, or could the reality be that you are introducing a real risk into your organisation.