We've identified all of our subprocessors that were affected by this incident. All related services have been patched, and this incident is now resolved.
Posted Jan 26, 2022 - 11:09 EET
Update
We have identified that our sub processor Amazon Web Services (AWS) had their RDS service affected by the Log4J vulnerability. The service has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon RDS is used for BI integrations in both incy.io and audits.io. We're not aware of any exploits of the vulnerability, or unauthorized access of data.
Posted Jan 26, 2022 - 11:08 EET
Update
We have identified that two additional sub processors have been affected by the Log4J vulnerability:
Mailgun and Postmark are used for email delivery in incy.io and audits.io. We're not aware of any exploits of the vulnerability, or unauthorized access of data.
We are still monitoring if the issue affects any additional sub processors.
Posted Dec 17, 2021 - 13:26 EET
Monitoring
We have identified that our sub processor Amazon Web Services (AWS) had their S3 service affected by the Log4J vulnerability. The vulnerability has been fully patched by AWS. Related AWS incident: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
AWS S3 is used for hosting attachments in both incy.io and audits.io. We're not aware of any exploits of the vulnerability, or unauthorized access of data.
We are still actively monitoring this issue, and seeing if this affects any additional sub processors.
Posted Dec 14, 2021 - 10:39 EET
Investigating
At Plan Brothers, Trust is our #1 value, and we take the protection of our customers’ data very seriously. We are aware of the recently disclosed Apache Log4j2 vulnerability (CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
Our services own codebase does not use Log4j2. We are actively monitoring this issue, and seeing if this affects any of our subprocessors.