The company reported in March that misconfigured Salesforce software had given every user access to every other user’s information, including financial projections, launch plans and confidential exchanges.
The authorized user had to do was tick a box on the advanced search page to be served attachments connected to any of the more than 1,500 applications for new dot-word domains like .blog and .london, over a third of which came from the world’s biggest brands. It has impacted 96 applicants. The searches were carried out by 19 users.
CANN’s new CIO Ashwin Rangan stated in an interview that his company does not know if the confidential attachments were downloaded or not. Those impacted “will be informed shortly.”
ICANN said it realizes that “any compromise of our users’ data is unacceptable,” and that it “deeply regrets this incident.” It pledged “to accelerate our efforts to harden all of our digital services.”
Awfully, it appears to place blame on the users that used the advanced search feature: “ICANN is contacting the user or users who appear to have viewed information that was not their own and requiring that they provide an explanation of their activity. We are also asking them to certify that they will delete or destroy all information obtained and to certify that they have not and will not use the data or convey it to any third party.”
ICANN is continuing to investigate the circumstances surrounding the access to this information and has not made a final determination regarding the nature of the access.
ICANN has encountered security breaches several times. In December 2014, the organization admitted that a number of its systems had been infected including the Centralized Zone Data System (CZDS) where the internet core root zone files are emulated.