Historical supplier-related data incident involving controlled recruitment and security documents

Closed — operationally remediated; external deletion not independently verified.

• Supplier access was removed.
• The supplier relationship was terminated.
• The incident was reported to the Norwegian Data Protection Authority.
• Affected individuals were notified.
• WAYSCloud strengthened restrictions on browser-based downloads from sensitive collaboration areas.
• WAYSCloud did not receive documentation sufficient to independently verify complete deletion, backup status or absence of further copies.

The incident was limited to a controlled shared workspace used for collaboration with Fortified Technologies AS.

The incident did not affect customer production environments, customer cloud workloads, customer databases, authentication systems, payment systems, live infrastructure or service availability.

The potentially affected material was limited to recruitment-related documents and selected internal business, security and infrastructure documents.

Fortified Technologies AS was engaged by WAYSCloud to assist with cybersecurity strategy, security framework work and security-related advisory tasks.

As part of the collaboration, WAYSCloud established an isolated shared workspace. The workspace was not an informal file-sharing area. It was a controlled collaboration environment designed to keep sensitive material centrally stored, access-restricted, authenticated and logged.

According to the original deviation report, access was limited to three WAYSCloud employees and two external consultants from the supplier.

The workspace contained recruitment material for security-critical positions, including CISO and security architect candidates. WAYSCloud considered these roles to require a high level of confidentiality because candidate material could include identity information, references, work history and security-related professional background.

On 19 November 2024, 66 documents were manually downloaded from the controlled workspace by a supplier user account.

The logs did not indicate local synchronization or an automated backup process. They showed manual, browser-based downloads performed file by file from the controlled workspace. The original deviation report recorded that each file was downloaded through the browser after authentication, without local synchronization.

The downloaded files included:

• 32 PDF files
• 24 Microsoft Word files
• 5 Microsoft PowerPoint files
• 3 Google documents
• 2 Google spreadsheets

The incident was detected by WAYSCloud's monitoring systems on 21 November 2024 at 23:03. WAYSCloud contacted the supplier at 23:14 the same evening to request an explanation, the status of the downloaded copies and information about deletion.

The potentially affected personal data primarily concerned candidates in recruitment processes for security-critical roles.

The material included or could include:

• CVs and applications
• Descriptions of competence and experience
• Employment history and previous security-related roles
• References
• Diplomas and education documents
• National identity numbers and other identifying information

The initial estimate was up to 76 potentially affected individuals. After further review, this was reduced to 10.

Fortified Technologies AS, through its legal representative, stated that the supplier had used standard Google Drive functionality, that the documents had been deleted, that no copies remained, and that the documents had not been shared further. The supplier also disputed WAYSCloud's assessment that the incident represented a breach of confidentiality, arguing that the documents had already been available to the supplier in the workspace.

WAYSCloud's position was that the core issue was not whether the supplier had been granted access to the workspace. The core issue was that data had been moved out of a controlled environment, and that WAYSCloud required verifiable information about storage, deletion, backups and copies.

The supplier correspondence also included unrelated commercial matters. WAYSCloud treated the data incident as a separate security and privacy issue.

WAYSCloud did not initially treat the supplier's identity as the central public issue. The priority was containment, reporting, notification of affected individuals and obtaining verifiable deletion evidence.

However, questions and rumours later arose about which cybersecurity supplier had collaborated with WAYSCloud. Because Fortified Technologies AS had been engaged specifically for cybersecurity-related work, and because the incident concerned handling of security-sensitive and personal data within that engagement, WAYSCloud considered the supplier identity material to the public understanding of the case.

Identifying the supplier helped clarify the public record, avoid speculation about other partners or suppliers, and distinguish this incident from WAYSCloud's platform operations and customer services.

WAYSCloud did not consider the incident to be ordinary use of a shared workspace.

The workspace was established precisely to keep sensitive collaboration material in one controlled environment. The risk arose when documents were manually downloaded file by file through the browser and moved outside that environment.

From WAYSCloud's perspective, the relevant distinction was:

• The supplier had been granted access to view and work with material in a controlled workspace.
• The supplier had not been authorised to move sensitive documents into an uncontrolled environment without documented purpose, notification or verifiable deletion process.

WAYSCloud therefore treated the incident as a loss of control over personal data and confidential business material.

WAYSCloud reported the incident to the Norwegian Data Protection Authority shortly after detection.

The incident was reported under reference AR644275154.

WAYSCloud also notified affected individuals. In supplementary documentation, WAYSCloud stated that all affected individuals were notified, with seven notified through Digipost and three handled through the recruitment partner where direct contact details were not available.

When later follow-up showed that not all three had been confirmed reached through the recruitment partner, WAYSCloud informed the Norwegian Data Protection Authority that it would perform address lookups and contact the remaining individuals directly.

On 25 November 2024, WAYSCloud sent a formal request for deletion verification.

WAYSCloud requested:

• Formal confirmation that all relevant data had been deleted.
• Confirmation covering local devices, backups, email systems and archive systems.
• A description of which systems had been reviewed.
• Documentation of deletion methods and tools.
• Audit logs showing date, time and responsible actor.
• Confirmation that no backups contained the data, or that any such backup copies had been deleted.
• Permission for an independent third party to verify deletion from relevant systems and backups.

The request was sent with a response deadline of 2 December 2024.

The incident did not affect WAYSCloud customer systems, cloud workloads, databases, authentication systems, payment systems or platform availability.

The potential impact related to confidentiality.

For affected individuals, the potential risk was exposure of recruitment material, identity information, references and security-related professional background.

For WAYSCloud, the potential risk was loss of control over internal security-related documentation and reduced confidence in supplier handling of confidential material.

WAYSCloud took the following measures:

• Removed supplier access.
• Reviewed the workspace and downloaded material.
• Reported the incident to the Norwegian Data Protection Authority.
• Notified affected individuals.
• Contacted the recruitment partner.
• Requested formal deletion evidence.
• Requested confirmation regarding backups and copies.
• Requested independent verification.
• Reviewed access controls.
• Tightened controls for sensitive collaboration areas.
• Strengthened alerting for download activity.
• Terminated the supplier relationship.

The incident led to stricter controls for external collaboration involving sensitive material.

WAYSCloud strengthened its approach in particular around:

• Limiting browser-based download capability for sensitive workspaces.
• Reducing the amount of sensitive material exposed to external parties.
• More granular access control.
• Clearer separation between view access and export/download capability.
• Earlier alerts on download activity.
• Stronger supplier requirements for deletion evidence, auditability and backup handling.
• Clearer escalation procedures when supplier-controlled copies may exist.

The most important lesson was that a controlled workspace is only effective if export paths are also controlled. Logging worked, detection worked, and WAYSCloud was able to reconstruct the incident. After the incident, WAYSCloud strengthened the preventive layer as well.

Transparency and openness are essential to WAYSCloud.

This report is published because serious incidents should be documented clearly, even when they are uncomfortable, historical or supplier-related. WAYSCloud believes trust is built by showing what happened, how it was detected, how affected persons were handled, what was reported, what remained unresolved, and what was improved afterwards.

WAYSCloud also publishes this report to correct misunderstandings around the incident. The controlled workspace was itself a security measure. The issue was not broad or careless distribution of sensitive material by WAYSCloud. The issue was that material was manually downloaded file by file through the browser and moved outside the controlled environment.

This was a serious supplier-related data incident involving a controlled workspace established for cybersecurity-related collaboration.

WAYSCloud detected the activity through monitoring, contacted the supplier quickly, reported the incident to the Norwegian Data Protection Authority, notified affected individuals, removed access, requested verifiable deletion evidence, and strengthened internal controls.

The incident did not affect customer systems, production workloads, platform availability or live cloud services.

WAYSCloud publishes this retrospective report to document the handling of the incident, correct the public record where necessary, avoid speculation about other suppliers or partners, and show how the company strengthened its controls after a serious supplier-related event.