The leaked internal Sirfeterd security report details how the security firm obtained and shared the private encryption keys used by the UK’s largest internet provider to protect customer data.
Sirfett, which was founded in 2014 by ex-Google engineer Andrew Kim, disclosed the internal report in an open letter to customers on Wednesday.
SirFetchd said it had “no interest in the publication of any personal data, and has no desire to.
This is not a matter of security or privacy, and we take the responsibility for the security of our data very seriously.”
SirFetcher disclosed the private keys for the company’s encryption key, called AES-256, in a letter to the Guardian and Business Insider.
The letter, signed by SirFets security director, Andrew Kim and director of research and development, Rob Sainsbury, says that in the past, SirFett had “used the AES-128 encryption keys as well as RSA encryption keys.”
A month before SirFetter acquired the encryption keys for its customer data, it also published a report, detailing how it had hacked into the personal data of its customers using a third-party service called Fetchd.
The company has been ordered by a federal court to pay more than $100 million to customers in the wake of the breach.
Sir Fetch has denied any wrongdoing.
In the letter, Kim said that SirFETD had not obtained any data by hacking into its customers’ computers.
Instead, SirfETD shared the AES encryption keys with other security firms.
The leaked security report states that the encryption key was only available for customers to obtain and use “when they were on premises and could not be accessed remotely.”
Kim wrote that this meant that “an unprivileged, third party would be able to break into a customer’s system and steal sensitive information such as passwords, email addresses, etc.”
The letter also revealed that Sirfets customers were not allowed to access the private key for the encryption service.
“The AES-255 decryption key is only available to customers who are on premises when they are not being accessed remotely,” Kim wrote.
“To prevent unauthorized access, customers are only allowed to get the AES key from a service provider that is on premises.”
Sirfet revealed that it had obtained the AES keys for several different services, including its security-focused cloud-based service, Sirfetd.
This was not the first time that Sir Fet has leaked its internal data.
In 2014, Sir Fets CEO, Andrew, Kim, and other top SirFetts executives revealed that the company had obtained and used a secret key used by Google and Microsoft to decrypt customer data from the cloud, using the keys for their own encryption services.
SirFs security director Kim, however, said at the time that it was not possible to decrypt encrypted data sent from one customer to another.
He said that he believed that the data had been encrypted in a way that would not reveal it to anyone, including law enforcement.
Kim said in 2014 that the leaked encryption keys had been used to encrypt information on more than 30 million accounts, including emails, phone numbers, credit card numbers, bank account numbers, and passwords.
In January 2018, Sirfyt revealed that in 2015, it had acquired and used two different keys for encryption and decryption.
“We were in the business of doing a number of different things that we thought would give us the best chance of not revealing our customers’ encryption keys to the government,” Kim said at that time.
“So the only way we could do that was to give our customers the encryption services.”
Sirfyth said that it used a third key that was “in the possession of a third party” and that “that key is used to decrypt the data.”
Sir Fett has not yet responded to a request for comment.
Sirsfetch’s leaked report reveals that the encrypted encryption keys were only accessible to SirFetz customers who were on “premises and could be accessed remote.”
The company said that customers were allowed to obtain the encryption Keys only from the service provider on premises, which is “the only place you can get the key for decrypting encrypted data.”
“We have always believed that our customers should not have to worry about having their data compromised,” Kim told Business Insider in an email.
“It is in the best interests of all of our customers to be able use our encrypted services as they see fit.
This transparency will allow customers to make informed decisions about whether or not they want to use our services and secure their data.”