U.S. Internet Corp.’s business unit, Securence, which is known for providing secure email services to businesses, educational institutions, and government agencies, recently made headlines for all the wrong reasons. It was revealed that U.S. Internet had been publicly exposing more than a decade’s worth of its internal emails, as well as the emails of thousands of Securence clients, on the Internet in plain text.
Based in Minnetonka, Minn., U.S. Internet is a regional Internet service provider (ISP) that offers fiber and wireless Internet service. Its Securence division is described as a leading provider of email filtering and management software, catering to small businesses, enterprises, educational institutions, and government entities worldwide.
The exposure of thousands of domain names linked to U.S. Internet mail servers was discovered by cybersecurity firm Hold Security. This discovery led to the revelation of inboxes for individual employees or users associated with these domains, some dating back to 2008.
Of great concern is the fact that among the affected customers were state and local governments, including high-profile domains such as nc.gov, stillwatermn.gov, and cityoffrederickmd.gov. Even more shocking is the revelation that the internal emails of current and former U.S. Internet and USI Wireless employees were exposed as well.
Upon being notified of the breach, U.S. Internet promptly removed all of the published inboxes from public access. However, the company’s CEO, Travis Carter, was unable to provide a compelling explanation for the incident. He attributed the issue to an incorrect configuration in the Ansible playbook, an issue that was never caught despite being put in place by a former employee. The company is now conducting audits on its platform and other backend services to rectify the issue.
Additionally, it was discovered that hackers had been exploiting Securence’s link scrubbing and anti-spam service called Url-Shield to redirect visitors to hacked and malicious websites. This revelation points to further security issues within U.S. Internet’s services.
To make matters worse, U.S. Internet failed to disclose the incident on its website, raising questions about the company’s transparency and security practices. Considering the scale of this security blunder, it is apparent that U.S. Internet will need to undergo significant reforms and demonstrate improved transparency before it can be trusted to manage anyone’s email again.
KrebsOnSecurity, a respected authority on data breaches, has been vocal about this incident and has emphasized the need for U.S. Internet to take the necessary steps to rebuild trust and demonstrate a commitment to better security practices. The company’s lack of transparency and the magnitude of the mistake made this incident especially egregious and deserving of serious attention from authorities and regulators.