Help

Issue Update: Jamf Nation Feature Request Portal

jacob_bernardy
Community Manager
Community Manager

Posted on ‎03-06-2024 11:02 AM

Jamf Nation-

The privacy of our customers' data is of the utmost importance to us. Yesterday, we learned of an issue in the Jamf Nation Feature Request portal related to the exposure of limited user data. This was limited to Jamf Nation user data, did not include password data, and did not impact any other products or user data outside of Jamf Nation. This issue is now resolved. We will provide updates as they become available and we complete our investigation. Thank you for your continued patience in this matter and we apologize for the inconvenience that this has caused.

Jake Bernardy
Vice President, Global Customer Success @ Jamf

0 Kudos
2 REPLIES 2

mark_lynch
New Contributor III

Posted on ‎03-06-2024 11:33 AM

Thanks for at least a start to information on the incident. Towards that end, we would appreciate the following additional information:

  • "did not impact any other products or user data outside of Jamf Nation" can you speak to the origination of the exposed data - was this ingested from the underlying Jamf Nation software, the Jamf ID system, or from Jamf back-end CRM (Salesforce, etc)?
  • Can you speak to the potential specific information exposed (names, numbers, organization, emails, etc)?
  • Can you speak to the steps taken that resulted in seemingly a misconfiguration?
  • Was this the result of the recent Jamf ID overhaul? And if so: given the nature of how Jamf ID is interconnected between various other platforms/services, what steps are being taken to identify if other services may have also resulted in data exposure?

Our organization is a healthcare org, so as you can imagine we have to take even the slightest exposure seriously, if only to understand the risk surface.

Much appreciated!

jacob_bernardy
Community Manager
Community Manager

Posted on ‎03-25-2024 10:37 AM

Jamf Nation-

Thank you for your patience while we completed our full investigation of this issue. We wanted to provide additional information based on questions we've received from Jamf Nation.
  • What happened? A configuration was updated in the Jamf Nation Feature Request portal which resulted in the temporary display of limited user data to a small subset of portal visitors. This was not related in any way to the recent Jamf ID migration project.
  • Who was impacted? Organizations with Jamf Nation accounts.
  • What was the impact? Limited personal user information (company names, and sometimes names and email addresses) could be temporarily exposed if a registered Jamf Nation user attempted to use the Jamf Nation Feature Request functionality.
  • Do customers need to take action? No. The configuration that caused the exposure of user data was disabled, and there is no further action needed from Jamf Nation.
  • How will Jamf avoid this in the future? Jamf has created additional change management and monitoring mechanisms to ensure that future configuration changes do not result in the display of Jamf Nation user data.

    Thank you for your patience while we thoroughly reviewed this issue.