[VLM]

But not in one giant queryable SQL table.

I'd worry about parallelized spearfishing attacks across multiple stores, "Good Morning DEF, have I reached store number 12345 cash handling office? OK good to hear, this ABC at walmart corporate IT calling back about that trouble ticket your coworker XYZ entered about your store in Springfield, is XYZ at work now? Oh OK, well, anyway the ticket says XYZ is having trouble accessing the credit card portal, the ticket says you're trying to log in using the password of "password2", and back at HQ I can't log in using that password either so I'm planning on resetting her password, which will completely lock her out of the system for at least a week, unfortunately, but that's how ... Oh wait, you say there's a post it note on the monitor that her password is actually "ilovejustinbeiber", hold on a moment let me try that. How about that, it does work. Hey thanks for helping out, gonna save a lot of trouble for everyone. I'm not going to reset XYZ's password since it does work, I'll just close out the ticket with "can't reproduce problem", whoever took the ticket here couldn't enter the data right and obviously whatever problem there was is fixed now. Have a nice day out there in Springfield, Make Walmart Great Again (or whatever it is they say) Bye!"

Or some team calls like twenty electronics departments and tells all of them to toss all their ipad stock into a large shipment box because they were shipped with faulty batteries while reading back all the info they gathered to build trust, then let them know a courier from UPS (fake brown uniform) will present a (fake) ID and pick up that box of ipads in an hour and they can expect replacements air shipped later that day. Remind the employee to make sure they sign and save the (fake) return receipt. Imagine what a large team could do with a phone that takes pictures, snapping serial numbers of boxes on the shelf and a half hour later reading the serial number list back to the clerk over the phone.

This is all old stuff, but the advantage is you can parallelize it. If "they" hit one store every night there would be emergency emails printed out and taped up and handed out by the next week, but if you run this right you could do maybe 200, 300 stores.

Even better if a competitor paid you to pull this off on Black Friday when half the IT staff took the day off anyway and all you need is to sow chaos to make money. Or do this the day before earnings are announced to really mess with them financially.

[cryptarch]

Uhhh... "facebook can't query user data"? Facebook even has the current occupation and location data of users, so of course they can find out at what specific store you work!

Facebook has a larger user base with richer data on them, than the app in the story. None of that data is E2E encrypted, and all of it is available to (some) FB employees.

I think your FUD is unjustified here.

[jimmywanger]

Nowhere did he say that "facebook couldn't query user data".

He's saying that it's probably not in a form that's easily queryable. With that information in an ill-secured data store that's highly categorized you can do all sorts of mischief.

And how is it FUD? Once you cleanse and normalize data, fraud opportunities become very apparent.

[cryptarch]

It sounds a lot like "I assume FB has good data practices based on nothing, and I assume this app has bad data practices based on nothing, thus this app is probably bad".

Yeah, the app has an option to fill in your store ID, but Facebook has at least as valuable data on you (like many private conversations), and has the tooling to extract all kinds of markers from this rich data (i.e. for advertising and running facial recognition on all your pictures). Fraud opportunities are everywhere in the centralized social media (/ web services) sphere.

[jimmywanger]

> "I assume FB has good data practices based on nothing, and I assume this app has bad data practices based on nothing, thus this app is probably bad".

That is a strawman. FB probably has decent (at least industry standard) data practices because they're a public company, spend a lot of money on hiring engineers, and have been under investigation for keeping data secure. I think that if they're doing something wrong, they're probably not doing something obviously stupid.

Now, you have another app which was written by "Now, Marler has a second job: She’s one of about two dozen current and former employees who helped construct an app called WorkIt that answers questions about Walmart’s policies and workplace rights using Watson, IBM’s artificial intelligence bot."

I'm not saying that this app is bad, I'm saying that they have a huge probability of overlooking data security vulnerabilities. Of their two dozen employees, how many of them are really well versed in inf sec or IT?

The belief that FB has good data practices and there are no assurances that another random app has unknown data practices is rooted in reality.

The fact that the random act is asking for so much possible PII is not a good sign.

[empath75]

I don't think labor unions are goi to run a scam like that. This is ridiculous. Walmart has all this information in dbs right now and they're way more likely to get hacked.

[VLM]

You make a good point, however the real threat isn't "Our Walmart" but "R Walmart" "Are Walmart" "Our Target" and so forth.

I have faith that the app market is so hypersaturated that any scheme that doesn't epic fail immediately spawns hundreds of clones.

"Our Walmart" is probably legit, although probably a smaller harder to defend target and the problem is going to be inevitable clones and scams.

There is also the meta-threat of normalizing sharing employer information. Sure maybe 99% of people who ask for my IP address or a list of ciphers my sshd permits are really not up to anything bad, but it would be bad to get in the habit of telling rando requesters anything they ask. So, among others, I allow aes256-gcm in my corporate sshd config... and what possible good could come from people answering questions like that ?

[anigbrowl]

If you're that worried about it send an email to the union and claim an hour of pro-bono consultancy on your tax return. I don't know your motivations but this looks awfully like concern trolling.

Incidentally I'm not a union member, nor have I ever been. I just find it really odd to see a firm like Walmart being so 'concerned' about the security of their employees while at the same time shoving all sorts of electronic gadgets at their customers without the slightest murmur about the security issues. Does Walmart give the same kind of security advice to customers or employees who purchase smartphones? If not, then why would I take their sudden concern at face value here?

[VLM]

Its interesting that my concerns were very specifically in defense of walmart owned property, but you describe them very specifically as security of their employees. And then wander off in customer land.

Perhaps giving away large amounts of PII in this app or getting into the habit of giving away PII for the asking puts the employees at risk, but my theoretical examples only put walmart owned property at risk. Well, any employee involved would probably get fired as the fall guy or there's some obscure binder miles away with a written policy forbidding my scenarios, but ...

"sudden concern" Is it a sudden concern? I work at a very large corporation and every six months or so we get a refresher course in not being social engineered etc. Its a sudden concern of us, of some news organizations. Opposition to social engineering attacks is probably not a recent sudden concern of walmart infosec department, they've been around the block a bit and a company doesn't get that big entirely staffed by noobs.