On 25 September it was reported that the usernames and passwords of around 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) were found unencrypted on a FTP server by University of Copenhagen researcher Radu Dragusin. The incident was reported in various specialist journals for computer security experts as well as in the general computer press.
On 27 September the IEEE issued the following statement on the incident:
"We deeply regret the exposure of user IDs and passwords that we became aware of on 24 September 2012. We would like to take this opportunity to explain to our members and customers the circumstances under which the exposure occurred and provide assurances with respect to IEEE's security processes and policies.
"IEEE follows security best practices based on ISO and NIST standards. We review these standards to ensure that we follow a certain security methodology in our practices and processes. Notwithstanding our precautions, the exposure of the user IDs and passwords nevertheless did occur and we have thoroughly investigated how it happened.
"We have found the following: The incident related to the communication of user IDs and passwords between two specific applications within our internal network resulting in the inclusion of such data in web logs.
"An anomaly occurred with a process executed in coordination with a proxy provider of IEEE, with the result that copies of some of the logs were placed on our public FTP server. These communications affected approximately 2% of our users. The log files in question contained user IDs and accompanying passwords that matched our directory. The primary logs were, and are, stored in protected areas.
"Upon discovering this exposure, IEEE immediately removed those files, ceased receiving those log files from the proxy provider, and corrected the interapplication communication that resulted in the logs containing user IDs and passwords.
"The affected user accounts were locked down, and only affected users were notified that IEEE is requiring that each affected user change his or her password. Institutional account information was, and remains, unaffected.
"IEEE does not store its corporate directory information in the clear, does not expose it to the public, nor was the corporate directory compromised.
"We thank IEEE's more than 2.5 million global users for their continuing support. IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused."