top of page

Atlassian Confusion Over Data Breach Highlights the Complexity of Securing Software Supply Chains

Atlassian, an Australian software company, and Envoy, a startup that provides workplace management services, are at odds over a recent data breach that saw the data of thousands of Atlassian employees exposed. The breach was first reported by CyberScoop.

Hackers known as SiegedSec leaked data on Telegram this week, which includes the names, email addresses, work departments, and phone numbers of approximately 13,200 Atlassian employees. Floor plans of Atlassian offices in San Francisco and Sydney, Australia, were also included. Atlassian blamed Envoy for the breach, but the startup denied responsibility. The Sydney-based firm then stated that the hackers had used the credentials of an Atlassian employee that had been mistakenly posted in a public repository to compromise the Atlassian data from the Envoy app.

Envoy was subsequently cleared of any wrongdoing. This was not the first security incident involving Envoy, as in 2019, security researchers at IBM discovered two flaws in the startup's visitor management system that could have exposed customer data.

Lorri Janssen-Anessi

Lorri Janssen-Anessi, Director External Cyber Assessments, BlueVoyant, highlighted why it's critical for organizations to take a hard look at vendor and supplier cybersecurity postures:

"The reported Atlassian breach due to a third party is yet another reminder for organizations to look at their own vendor and supplier cybersecurity. Many organizations have recently been breached due to an issue with a third party.

To monitor supply chain security, organizations should be continuously monitoring their third parties and working closely with them to quickly remediate any issues. Many organizations instead use questionnaires to monitor their vendors but this only gives a point-in-time view.

Organizations need to also closely monitor how quickly their vendors patch. For example in June, Atlassian announced an active vulnerability present in its Confluence Data Center and Serve. The company had a release available the next day. According to BlueVoyant’s threat intelligence, after the June 3 Confluence fix was announced, about 30% of vulnerable organizations patched within the first 10 days. However, the patch rate plateaued the following week. That means 70% of vulnerable Confluence instances remained exposed, a major risk for those organizations. Cyber criminals are learning to exploit vulnerabilities like this faster, so time unpatched is risky."



bottom of page