| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the exposure of nearly 900 million confessions and secrets on the app Whisper is not the first time the company has faced issues. In 2014, Whisper was accused of monitoring the whereabouts of its users, including some who had requested not to be followed. There were claims that Whisper was tracking users it deemed newsworthy, such as military personnel, Disney employees, and a lobbyist in Washington DC. The Guardian newspaper reported on these allegations, suggesting that Whisper was occasionally sharing information with the US government. Whisper denied these accusations, stating that it does not follow or track users without consent [97194].
(b) The software failure incident involving the exposure of confidential data on Whisper is not an isolated case. Similar incidents of data leaks and privacy breaches have occurred in other organizations as well. For example, the cybersecurity consultants who discovered the exposed database on Whisper, Matthew Porter and Dan Ehrlich, also uncovered a data leak in Wyze that occurred the previous year. This indicates that data security issues are not unique to Whisper but can be found in other organizations as well [97194]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the case of Whisper's exposed database. The incident occurred due to the database being left open to the public internet without proper password protection, leading to nearly 900 million confessions and secrets being exposed [97194].
(b) The software failure incident related to the operation phase is evident in the way Whisper's exposed database was accessible to the public, allowing anyone to browse and search through the records. This operational flaw led to a significant privacy and security risk for users, potentially resulting in their lives being ruined or families being blackmailed due to the exposed information [97194]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident related to the exposure of nearly 900 million confessions and secrets on the app Whisper was primarily within the system. The incident occurred due to a non-password-protected database that was open to the public internet, allowing anyone to browse and search through the records [97194]. Additionally, the exposed database contained personal information tied to the messages, which could potentially unmask or blackmail users who shared the posts. The failure was exacerbated by the fact that the database was online for years, indicating a long-standing issue within the system [97194].
(b) However, there were also contributing factors outside the system that played a role in the software failure incident. For example, the cybersecurity consultants who discovered the exposed database, Matthew Porter and Dan Ehrlich, alerted authorities and Whisper about the issue, indicating external intervention in response to the failure [97194]. Additionally, the incident raised concerns about societal and ethical norms regarding the protection of children online, highlighting external factors such as regulatory and ethical considerations that were breached [97194]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the Whisper app exposing nearly 900 million confessions and secrets was due to non-human actions. The incident occurred because the database containing the sensitive information was left exposed on a non-password-protected server open to the public internet [97194].
(b) Human actions also played a role in the software failure incident. The cybersecurity consultants who discovered the exposed database, Matthew Porter and Dan Ehrlich, alerted authorities and Whisper about the issue, leading to the access being removed. Additionally, Whisper's parent company, MediaLab, disputed the findings of the security researchers, stating that the exposed data was a consumer-facing feature of the application that users could choose to share or not share [97194]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware:
- The incident reported in the article does not directly point to a hardware failure as the root cause of the issue. The exposure of nearly 900 million confessions and secrets on the Whisper app was due to a non-password-protected database open to the public internet, indicating a lack of proper security measures rather than a hardware failure [97194].
(b) The software failure incident related to software:
- The software failure incident in this case was primarily due to contributing factors originating in software. The exposure of the confidential data on the Whisper app was a result of a non-password-protected database, which is a software-related issue related to inadequate security measures implemented in the application [97194]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident in the article can be categorized as malicious. The incident involved nearly 900 million confessions and secrets posted on the app Whisper being left exposed on a non-password-protected database open to the public internet. This exposure of sensitive information, including personal details of users, was due to a security vulnerability that could potentially lead to unmasking or blackmailing of users who shared the posts [97194]. The incident was discovered by cybersecurity consultants who alerted authorities and Whisper about the exposed database, highlighting the severity of the breach and the potential risks it posed to users' privacy and safety.
(b) The software failure incident in the article can also be categorized as non-malicious. Whisper, the app where the data leak occurred, is described as a platform where users can share messages anonymously. The exposure of the data was not intended, as the database was not designed to be queried directly, indicating a lack of proper security measures in place to protect the information shared by users [97194]. Additionally, there were previous concerns raised about Whisper monitoring the whereabouts of its users without their consent, suggesting a lack of transparency and potentially inadequate data protection practices [97194]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
[a97194]
The software failure incident related to the exposure of nearly 900 million confessions and secrets on the app Whisper was primarily due to poor decisions made by the company. The incident occurred because the database containing the sensitive information was left exposed on a non-password-protected server open to the public internet. Despite the potential risks and privacy concerns, Whisper's parent company, MediaLab, disputed the findings and claimed that the exposed data was a consumer-facing feature that users could choose to share or not share. This lack of proper security measures and the failure to protect user data adequately can be attributed to poor decisions made by the company, leading to the software failure incident. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence can be seen in the case of the Whisper app data exposure incident. The incident occurred due to nearly 900 million confessions and secrets posted to the app being left exposed on a non-password-protected database open to the public internet [97194]. This exposure of sensitive user data, including personal information tied to the messages, such as age, ethnicity, gender, hometown, and more, was a result of inadequate security measures and negligence on the part of the app developers. The cybersecurity consultants who discovered the exposed database highlighted that the personal information was enough to unmask or blackmail the users who shared the posts, indicating a lack of professional competence in ensuring data security [97194].
(b) The software failure incident related to accidental factors can be observed in the unintentional exposure of the Whisper app data. While Whisper claimed that much of the data was intended to be visible to users in the app, the exposed database was not designed to be queried directly, suggesting an accidental oversight in the implementation of data protection measures [97194]. Additionally, the fact that the exposed bucket containing user information had been online for years without proper safeguards in place indicates an accidental failure in ensuring the privacy and security of user data [97194]. |
| Duration |
permanent |
(a) The software failure incident in the article seems to be permanent as the exposed database containing nearly 900 million confessions and secrets on the Whisper app was online for years [97194]. The data was left exposed on a non-password-protected database open to the public internet, allowing anyone to access and download the information in bulk, potentially leading to privacy issues and risks for the users involved. The incident was not a one-time occurrence but rather a long-standing exposure of sensitive data, indicating a permanent failure in terms of data security and privacy. |
| Behaviour |
crash, omission, other |
(a) crash: The incident involving Whisper's exposed database can be categorized as a crash. The database was left exposed on a non-password-protected server, allowing the public to access and search through nearly 900 million confessions and secrets posted on the app. This unauthorized access and exposure of sensitive information can be considered a crash in terms of system failure, as it led to a loss of control over the data and compromised the privacy and security of users [97194].
(b) omission: The incident can also be classified as an omission failure. Despite Whisper's claims that much of the data exposed was intended to be visible to users within the app, the fact that the database was left unprotected and accessible to the public indicates an omission in terms of failing to adequately secure and protect user data. This omission led to the exposure of personal information tied to the messages, potentially putting users at risk of privacy issues and blackmail [97194].
(c) timing: There is no specific information in the articles to suggest that the software failure incident was related to timing issues.
(d) value: The incident does not directly relate to a failure due to the system performing its intended functions incorrectly.
(e) byzantine: The incident does not align with a byzantine failure, which involves erroneous behavior with inconsistent responses and interactions.
(f) other: The behavior of the software failure incident can also be described as a violation of societal and ethical norms regarding the protection of children online. The exposure of sensitive information, particularly related to users as young as 15 years old, highlights a significant ethical failure in terms of safeguarding user privacy and security [97194]. |