A security flaw at Bull on Thursday briefly allowed anyone access to the IT company's servers, offering up confidential information on both the company and its high-profile customers. Those customers include France Telecom, UK bank Barclays, the British Royal Air Force, the Italian Army and Aerospatiale's missile division, among others.
The flaw was fixed about noon local time Thursday. Bull -- IBM's main competitor in France -- told ZDNet France that the hole had appeared that morning.
The breach allowed any surfer access to highly sensitive information -- including, for example:
- Which servers are installed in the missile branch of Aerospatiale;
- Details on the type and location of servers used for the French national police database of stolen vehicles;
- Information on current Barclays projects;
- French bank Credit Agricole's security initiatives;
- The phone number of the billing supervisor at France Telecom;
- Information on the UK's Royal Air Force.
The information was available on a Web site that contains an international database for Bull employees, with real-time customer information.
Many companies -- both French and foreign -- have access to small subsets of the information, including confidential Word documents. The indexed firms include finance, defence, health and energy companies, among others.
Many of the Web pages date from 1998 or 1999, but some were recently updated.
Most of the information was supposed to remain confidential, especially the names and telephone numbers of persons in charge of sensitive sectors such as defence. In addition, the documents offer a wealth of information for the companies' competitors. The site was also supposed to be password-protected.
The security hole was uncovered by the Kitetoa site, which was created to spot these kinds of flaws. Ironically, the site runs on Lotus Domino, which is owned by Bull competitor IBM.
Bull representatives attempted to downplay the incident. "Only one of our servers was briefly accessible. We acknowledge the error, but it was the result of human error," the director of data processing told ZDNet France.
Still, the incident is a blow for France-based Bull, which operates in more than 100 countries. The company's former BullSoft division, recently spun off as independent subsidiary Evidian, has just started doing business in the United States. Evidian publishes security and administration software for Internet servers.
Bull, meanwhile, recently teamed with Certplus to provide "Internet security applications" such as secure email.
Take me to the Hackers News Special
What do you think? Tell the Mailroom. And read what others have said.