back to article Oh buoy. Rich yacht bods' job agency leaves 17,000 sailors' details exposed in AWS bucket

A private yacht crew recruitment agency has left an AWS bucket containing the CVs, passports and even some drug test results for up to 17,000 people exposed to world+dog, according to reports. Crew & Concierge – a jobs firm in Bath, England, that targets "high net worth individuals", yacht captains, and management companies …

  1. Brian Miller

    We trusted them!

    Crew & Concierge director Sara Duncan blamed "the team of developers we had hired" for the bucket being left open, saying she had trusted the devs to "do a competent job" of securing "personal and sensitive personal information relating to our registered crew".

    Okay, which part of "productive idiot" did you miss?

    It doesn't shock me to see this, again and again. I have worked with many productive idiots, and managers who have no idea of the basic concepts of software development, let alone something like architecture and security. I hate web projects because pretty much the whole area is a shambles. The web giants don't care, the devs don't care, nobody cares because they don't feel any liability. If the local mechanic did a similar job on your car, you'd be up in arms with lawyers, etc. It comes down to devs doing garbage work, and managers letting it slide when they've been told again and again that it's going on.

    1. GnuTzu Silver badge
      Facepalm

      Re: We trusted them!

      Dunning Kruger is rampant in IT. There's an imbalance in how people learn. Some focus too much on hacking. Some spend a decade or more in only one job and think the whole World works that way. Or they've only worked with only one kind of hammer and everything is just the kind of nail that such a hammer is for. And, watch out for the ones with sledge hammers. And, then there are those with long strings of certs after their name--and still have to be told how things work.

      Finally, if it happens that you are in fact competent and work for those who are not, how are they going to be able to recognize that competence?

  2. Anonymous Coward
    Anonymous Coward

    BoatyMcBoatFacepalm

    'a Bath-based jobs firm that targets "high net worth individuals" '

    We'd all be high net worth individuals if we got paid ~£7K a month completely tax and NI free, only had to work rotation and had our board & lodgings paid while at work.

    1. phuzz Silver badge
      Facepalm

      Re: BoatyMcBoatFacepalm

      "We'd all be high net worth individuals if we got paid ~£7K a month"

      Yes, but average wages for offshore work are closer to the £2k/mo mark, I dunno where you got £7k from. Maybe a ship's captain would earn that, but then if I was personally responsible for a bloody great ship and the lives of all the people onboard it, I'd want to be paid £84k a year too.

      Plus, to qualify for zero tax on your income you have to spend at least half the year offshore, outside of UK waters*. Which generally means twelve hour shifts, living in a very small (probably shared) cabin, with limited internet access and leisure facilities, away from all your friends and family. It's not exactly a sinecure.

      * It's a bit more complicated than that really, don't rely on me for tax advice.

      1. IceC0ld Silver badge

        Re: BoatyMcBoatFacepalm

        TBH, I'd 'settle' for the 2k PCM as it's more than I get now, also if you are at sea, there isn't a lot to spend the pennies on, it would be a great way to save, and see the world.

        although I, personally, would be just one prima donna moment from the owner before I deep sixed them and the job security went west too :o)

        did know some people doing this MANY years back, they enjoyed it for what it was, an experience to be had, but for the main part NOT a career choice

        back on target - sort of -

        just how hard WOULD it be for AWS containers to be made 'secure' by default, so that the devs would really have to balls it up to leave them open.

        off top of head, add secure password and the need to alter it on first access at the very least

        this isn't the first open container, won't be the last, but I am DAMN certain that nowadays, there will be people who will spend at least an hour a day surfing the latest AWS offerings to see who has left what out in the cold :o(

        1. Robert Helpmann?? Silver badge
          Childcatcher

          Re: BoatyMcBoatFacepalm

          ...just how hard WOULD it be for AWS containers to be made 'secure' by default, so that the devs would really have to balls it up to leave them open.

          They pretty much are. It takes someone opening them up for this sort of thing to happen. It's more a case of the devs being too lazy or incompetent to provide access properly, instead opting for the Allow-Any approach to security because of ease. The open access also may have been meant as a temporary measure for while the containers were being set up but someone forgot to close the intentionally opened hole.

        2. phuzz Silver badge

          Re: BoatyMcBoatFacepalm

          "just how hard WOULD it be for AWS containers to be made 'secure' by default, so that the devs would really have to balls it up to leave them open."

          They are now, but they only introduced that about a year or so ago (iirc).

          "TBH, I'd 'settle' for the 2k PCM as it's more than I get now, also if you are at sea, there isn't a lot to spend the pennies on, it would be a great way to save, and see the world."

          My brother works at sea, but doing survey work rather than crewing. He still enjoys it (and gets paid well), but I know how much he dislikes not being at home for so much of the year. It's basically as bad as shift work, but you don't even get to go home between shifts. There's certainly IT jobs at sea, although you'll have to be an all rounder. If it's something you're interested in, give it a go!

      2. Anonymous Coward
        Anonymous Coward

        Re: BoatyMcBoatFacepalm

        phuzz>>> Yes, but average wages for offshore work are closer to the £2k/mo mark, I dunno where you got £7k from

        Perhaps read the article? Private motor yachts not cruise liners.

        Radio "Officer" (The IT guy these days.) or engineers get paid extremely well. Captains even more so.

  3. Anonymous Coward
    Anonymous Coward

    The advanced tools are somewhere for sure

    I once worked on an NHS website where the hugely incompetent vendor coded the "To:" address in the contact form as a hidden input field. After someone complained of being spammed via the website, the vendor claimed it was a "sophisticated attack" & would take time to fix. I was sort of able to prove it wasn't by knocking up a quick script and sending a couple of hundred emails to their support address. The idiots fixed it PDQ after that.

    I suspect if you've been stupid, the default position is to say an attack is "advanced". Those who know, already know it's not. But you might convince some people who don't know any better.

    Also, Christ there are some incompetent cowboys out there in web development land. It's easy to laugh, but really this yacht company should've been able to have a reasonable expectation the people building their site wouldn't do the equivalent of leaving the front door off.

    1. Version 1.0 Silver badge

      Re: The advanced tools are somewhere for sure

      The yacht company doesn't really care, it's not their customers details that were lost, it was just the workers so it's not going to affect their sales income very much. El Reg, check them out at the end of the year and see if who gets a nice bonus.

    2. macjules Silver badge

      Re: The advanced tools are somewhere for sure

      "the hugely incompetent vendor"

      It was Capita. Go on. Admit it.

  4. SVV Silver badge

    Crew & Concierge left the door to its digital stables wide open

    And now there's seamen everywhere.

    1. macjules Silver badge

      Re: Crew & Concierge left the door to its digital stables wide open

      One might say that there are definite signs of seepage.

  5. Dr_N Silver badge
    Coat

    This'll blot their copybook...

    ...with Seaman Staines

  6. Pascal Monett Silver badge
    Trollface

    'a Bath-based jobs firm that targets "high net worth individuals" '

    How unfortunate that they didn't target "high net worth" project managers.

    Oh well, it's not a problem, right ? After all, it's not the rich people's data that got exposed, only the peon's data who would like to work for said rich people. So no loss, really. Right ?

  7. Winkypop Silver badge
    Megaphone

    But I want a PORTHOLE!

    Miss Switched-on Manager, 30 something, tasked us to build a porthole.

    "A porthole" we responded.

    "Yes a bloody porthole, a web porthole!"

    You mean a portal?

    No, a porthole!

    True story.

  8. big_D Silver badge

    Buchbinder is even worse...

    I thought the Buchbinder leak at the weekend was worse.

    Information about politicians, celebrities, as well as around 3,000,000 proles. Rental agreements, driving licenses, payment details, accident reports, police breathalyser results and, in some cases sexual orientation and religious proclivities (rentals through a religious or gay rights organisation linked to individuals details).

    https://www.zeit.de/digital/datenschutz/2020-01/datenschutz-mietwagen-buchbinder-global-datenleck

  9. DJV Silver badge

    Yacht

    I saw a mention of "yacht" and was expecting to see another story about Oracle or Larry!

  10. Anonymous Coward
    Anonymous Coward

    Why is it called a bucket?

    1. moiety Silver badge

      There's a hoooooole in moi bucket, dear Lisa, dear Lisa; there's a hoooooole in moi bucket, dear Lisa, a hole.

  11. EnviableOne Silver badge

    WHen will they realise

    Since GDPR, you can outsource the work, but you can't outsource the responsibility.

    Once the ICO do their job, this may be a hefty fine, but if they have high net worth clients, they should have enough to contribute.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020