MongoDB, a database software provider whose stock has been on a tear recently, just hired its first-ever chief information security officer. The appointment, which came Friday, signals that the company plans to take security more seriously even as it faces stiffened competition from the likes of Amazon and other tech giants.
The new boss is Lena Smart, a Glaswegian cybersecurity professional. Smart formerly held the same title at IPO-bound Tradeweb, a financial services firm that supplies the technology behind certain electronic trading markets. Prior to Tradeweb, she headed security at the New York Power Authority, where she worked for more than a decade. A cellist in her spare time, Smart told me in her Scottish brogue that her priority in the new job will be “knowing what the crown jewels are—that’s our customer data—and making sure that’s always protected.”
People leaving MongoDB and other databases unsecured on the web has been a persistent source of data-leaks over the years. Just this month, a security researcher discovered one such sieve that exposed to public view a trove of sensitive information, including location data, on millions of people in China. The misconfigured repository appears to have originated from SenseNets, a Shenzhen-based company that is likely providing the Chinese government with crowd-surveilling, facial recognition technology to track the country’s muslim Uyghur population. This is just the latest leak example; there are innumerable others.
Despite the frequency of these leaks, the situation seems to be improving. Most of these inadvertent leaks have sprung, in fairness, from people using outdated instances of the company’s so-called community edition software, a free, barer-bones version of the database product. Mark Wheeler, a MongoDB spokesperson, conceded that the 12-year-old company “struggled in its early years to find the right balance with security.” But he avers that updates to the default settings of MongoDB’s software over the past few years, plus key security team hires—including guardians Davi Ottenheimer, Kenn White, and now Smart—are changing the equation.
As Smart’s scope involves securing the totality of MongoDB’s business, the data-spillage issue ultimately falls to her. She says she’ll continue educating customers in best practices when it comes to security. She says she will also aim to imbue the company’s product development process with security, quality assurance, and testing from the earliest stages. “If we can get in at the very start” of the software development lifecycle, Smart says, it will “save us time and money and make our products more reliable and secure.”
The leaky database issue is one that extends well beyond MongoDB. It’s also a problem for rivals such as Amazon, particularly its S3 buckets, Elastic, and others. Like so many companies, these database-makers are looking now to shore up their software in the hopes of turning a historical weakness—cybersecurity—into a competitive strength. As Dev Ittycheria, MongoDB’s president and CEO, tells Fortune: making the company’s products as secure as possible “is critical to our business.”
Indeed, it’s critical to MongoDB and, increasingly, every business.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Step into the light. NSO Group, a controversial Israeli spyware outfit whose software has been implicated in the murder of Washington Post columnist Jamal Khashoggi, has been trying to clean up its image in the eyes of the public. Shalev Hulio, CEO of the notoriously secretive smartphone-cracking company, interviewed with CBS's 60 Minutes and permitted a tour of the offices. He denied any culpability in Khashoggi's assassination, despite having sold the firm's technology to the Saudi Arabian monarchy.
Order in the court. Hal Martin III, a contractor with the U.S. National Security Agency, pleaded guilty in federal court on Thursday for stealing state secrets in what may be the largest breach of classified information in U.S. history. The lawyer for the defense said Martin's "actions were the product of mental illness." Meanwhile, a New York Times dispatch from Guantánamo Bay alleges that the U.S. government has recordings of the mastermind behind the September 11th terrorist attacks hatching the heinous plot with co-conspirators.
Sipping the poisoned chalice. Nation state-linked hackers last year compromised roughly half a million Windows-running computers produced by ASUS, the Taiwanese tech giant, according to Kasperky Lab, the Russian cybersecurity firm. ASUS downplayed the software supply chain attack in a statement, saying "a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers." We echo the advice of Matt Blaze, a cybersecurity expert and Georgetown University professor, who says people should still regularly update their software.
Microsoft misadventures. Microsoft won a restraining order in U.S. court enabling the company to take control of 99 web domains used by a nation state threat actor. The domains were involved in alleged Iranian hacking campaigns tied to the defection of a U.S. Air Force counter-intelligence, Monica Witt, who is wanted by the FBI. Meanwhile, a 24-year-old, autistic security researcher pleaded guilty in a London court to hacking the computer networks of Microsoft and Nintendo. The judge issued short, suspended sentence, saying: “I am trusting this will be a lesson from which you will all learn."
Share today's Cyber Saturday with a friend:
http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here
ACCESS GRANTED
Alms qualms. Fast Company pries open the socioeconomics of privacy in this intriguing article. Ciara Byrne, the author, explains how many of the poorest Americans are forced to live under constant surveillance, a situation that exposes them to marketing for predatory financial services. Another set of the nation's poorest, including undocumented immigrants, day laborers, and homeless people, are often forced to live off the grid in what Byrne describes as a "surveillance gap," which prevents them from getting access to resources that might help them.
“Middle-class and wealthy Americans need to realize that novel surveillance techniques are typically used first on the poor,” [law professor Michele E.] Gilman wrote in a 2012 article. “By the time these strategies spread beyond controlling the poor, any ‘reasonable expectations’ against their use have dissolved.”
Low-income communities have historically been monitored by government and their privacy has been routinely invaded. In Colonial America, most towns had an “overseer of the poor” who tracked poor people and either chased them out of town or auctioned off their labor. Current public benefits programs ask applicants extremely detailed and personal questions and sometimes mandate home visits, drug tests, fingerprinting, and collection of biometric information.
FORTUNE RECON
Huawei's Perception Problem Deepens as U.K. Spies Identify Security Risks by David Meyer
5 Things to Know About Facebook's New Ban on White Nationalism by Aaron Pressman
U.S. Government Declares Grindr a National Security Risk by Chris Morris
How China's Surveillance State Reflects 'Black Mirror' by Clay Chandler
After New Zealand Massacre Video Posting, Microsoft President Says Tech Industry Needs a 'Major Event' Protocol by Alyssa Newcomb
Quadriga's Bitcoins Would Have Been Safer in Bermuda, Country Leader Says by Jen Wieczner
ONE MORE THING
Dynamic Duo. A question for the entrepreneurs in the room: How did you meet your cofounder? If you said you bumped into each other in a stairwell while attempting to hack into the IT network of that other person's company, then you share something in common with the folks at Duo, a cybersecurity startup snatched up by Cisco for more than $2 billion last year.
I think they call that love at first cyber.
