Sangoma has concluded a thorough investigation into a misconfiguration of an internal, long unused customer support ticketing system historically used by Sangoma’s support and engineering departments to resolve IT and customer issues. As part of that investigation, we were obliged to comply with applicable legal requirements and procedures and have reported the incident to the appropriate legal authorities: we are now permitted to make this public.
While the investigation found no malicious use, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.
Our investigation has determined that a permission change made to the two deprecated Jira projects, by the IT team, on Nov 12 2019 allowed public read only exposure of the data. In specific search phrases, the contents of those Jira tickets were being offered as part of search engine results. Individuals would have been able to click on the search result and enter into a specific Jira ticket offered by the search engine.
We became aware of the issue on Dec 17, 2019 and, on the same day, Sangoma IT remediated the configuration to restrict the jira access and prevent any further unauthorized access. This issue was specific to two internal deprecated Jira projects: INFRA & SIP, that have NOT been in-use for a number of years and were only used for internal support cases by IT and Cloud Services support teams.
Our investigation confirmed that substantially all of the records did not contain any personal or CPNI information in accordance with our standard practices. After reviewing the contents of all Sangoma INFRA & SIP Tickets that were exposed to the internet and cross referenced the tickets to the access logs, we determined that there were two cases of possible exposure. None of the data exposed was material and we informed our affected customers.
We are committed to the privacy and security of our customers and are taking action to prevent future occurrences of this issue. We have updated our procedures to make sure that such changes do not occur in the future: alerts will be triggered on configuration changes along with scheduled period reviews of public facing systems.
We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to make sure that such mistakes do not happen again.