Adafruit, the New York City-based open-source hardware component manufacturer recently disclosed it had experienced a data leak.

The company announced that the breach took place because of a GitHub repository being viewable by the public.

In its data leak advisory, Adafruit voiced its suspicions that the incident could potentially have allowed “unauthorised access” to private information held on certain users from 2019 or before.

The New York City company is well-known for producing hardware components dating back to its origins in 2005 and now designs, makes, and sells a wide range of well-received electronics products, accessories and tools. It was founded by the American electrical engineer Limor Fried, also known by her online handle “Ladyada”.

Customer data retained in ex-employee GitHub repository

On March 4, Adafruit made a statement that a GitHub repository with public access contained a collection of data that comprised information on a selection of user accounts. Such information involved included full customer names, shipping, billing and email addresses and order placement details.

According to the technology manufacturer, the data set involved contained no user passwords or financial information like payment cards, but the disclosure of order details and could potentially be used by phishing actors and spammers to single out Adafruit’s customers as victims of a cybercriminal campaign.

Curiously, the leaked information did not take place from the company’s own GitHub repository but one belonging to an ex-employee of Adafruit. Evidence suggest that the ex-employee was employing real customer information for data analysis and training operations in their own dedicated GitHub repository.

Actions taken following a data leak

In its recent security Notification, Adafruit commented on its actions:

“Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved.”

At present the New York firm is unaware of any instances where the seized information has been misused by a threat actor. Adafruit added that it is only disclosing the data leak for the purposes of accountability and transparency.

Initially, the company opted not to contact every user by email regarding the notification. It explained that while the company ensures all security breaches are always published on the Adafruit blog and site security pages, no actions are required on the behalf of users in this instance as no payment card details, or passwords were put at risk in the leaked data analysis set.

Adafruit founder and her husband and MD for the firm, Phillip Torrone, commented in a joint statement:

“We evaluated the risk and consulted with our privacy lawyers and legal experts and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case.”

However, Adafruit later revised this stance and announced it would be contacting users via email.

The company has confirmed that it is now putting additional access controls and protocols in position to avoid data exposure in the future.

One way to prevent data leaks causing damage is by encrypting the data. This means that only designated recipients will be able to actually read the data, rendering it useless to anyone else. Galaxkey’s platform encrypts emails and data shared which means you’re protected from data being exposed. You can contact our team to find out more.