Introduction
The Open Worldwide Application Security Project (OWASP), a non-profit organization esteemed for its commitment to software security, recently disclosed a significant data breach. This incident stemmed from a misconfiguration of its old Wiki web server, resulting in the exposure of several members’ resumes.

Background of OWASP
Founded in December 2001, OWASP has been a cornerstone in the realm of software security. With tens of thousands of members globally and over 250 chapters, the foundation plays a pivotal role in organizing educational and training conferences worldwide, focusing on enhancing software security knowledge and practices.

Discovery and Impact of the Breach
The breach was discovered in late February following multiple support requests, signaling a misconfiguration in the Media Wiki server. This lapse in security primarily affected members who joined OWASP between 2006 and 2014, during which period the provision of resumes was a part of the membership process.


OWASP Executive Director Andrew van der Stock stated, “The resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information (PII).” This breach represents a significant risk given the sensitivity of the data involved.

Changes in Membership Process
Van der Stock emphasized that OWASP’s membership procedures have evolved, eliminating the need to collect resumes. This change reflects an enhanced understanding of data privacy and security.

Response and Remediation Efforts
In response to this breach, OWASP has implemented several corrective measures. These include disabling directory browsing, a comprehensive review of the web server and Media Wiki configurations, and the removal of all resumes from the Wiki site. Furthermore, to prevent further access, they have purged the Cloudflare cache and reached out to the Web Archive to request the removal of the exposed resume information.

Notification and Advice to Affected Individuals
The foundation is in the process of notifying affected individuals. Van der Stock noted, “OWASP has already removed your information from the Internet, so no immediate action on your part is required. Nothing needs to be done if the information at risk is outdated.” However, for those whose exposed details remain current, the usual precautions against unsolicited emails, mail, or phone calls are advised. This incident highlights the ever-present risks associated with data management and the importance of rigorous security configurations.