When The We Company, aka WeWork, filed its S-1 with the SEC on August 14, much of the ridicule it received was reserved for its questionable financials and borderline cultish tone.
And sure, there was a lot not to like in the prospectus. Like the fact that the company lost $900 million in the first half of 2019. Or that they had to rely on a made-up metric—Community-Adjusted EBITDA—to make the business look more profitable. It’s understandable why those headlines would get most of the attention.
But buried in the prospectus, there was another red flag that was not nearly as obvious at the time: their network security.
WeWork’s Language
As has become standard practice, WeWork did include cybersecurity among its list of risk factors. This risk, according to the prospectus, hinged as much on external factors, such as third-party platforms and employee mistakes, as on the company itself.
For example, this is how WeWork described cyber threats on the 10th page of its 30-page risk factor section:
“Similar to other companies, our information technology systems face the threat of cyber-attacks, such as security breaches, phishing scams, malware and denial-of-service attacks. Our systems or the systems of our third-party service providers could experience unauthorized intrusions or inadvertent data breaches, which could result in the exposure or destruction of our proprietary information and/or members’ data.”
A little further down the page:
“From time to time, employees make mistakes with respect to security policies that are not always immediately detected by compliance policies and procedures. These can include errors in software implementation or a failure to follow protocols and patch systems. Employee errors, even if promptly discovered and remediated, may disrupt operations or result in unauthorized disclosure of confidential information. We have experienced unauthorized breaches of our systems prior to this offering, which we believe did not have a material effect on our business.”
While technically correct, these disclosures mask what we now know was an extremely lax approach to network security. As it turns out, the biggest threat to The We Company’s network security may just be The We Company.
Password Insecurity
As Fast Company first found, WeWork’s WiFi networks are so insecure, they may as well be completely public. Not only does WeWork rely on a less secure WiFi network meant for home use, but it uses easy-to-guess passwords that are shared at multiple locations.
In response to that report, CNET reviewed a scan of a WiFi network at a downtown Manhattan WeWork location that revealed sensitive information—including financial records, business transactions, client databases, and emails—from 658 devices connected to WeWork's network.
WeWork, for its part, does offer extra data security for its members. A company spokeswoman told CNET these features include "a private VLAN, a private SSID or a dedicated end-to-end physical network stack." Members are charged extra fees for these added protections.
The clear lack of attention paid to the company’s WiFi security poses a unique threat that may outweigh the benefits of the shared workspace, according to Darren Conte, CEO of secure document storage and messaging platform Siftsort.
“When placed in a shared or public workspace, WiFi, in general, is a convenience. People assume that such conveniences are secure even when password-protected,” said Conte. “It’s alarming that a company like WeWork wouldn’t take extra precautions to ensure that even its basic level of WiFi was implemented with a higher security standard considering it’s a core component to their business model.”
At a time when the company is still reeling from its failed IPO and reportedly considering layoffs, Conte said updating their network security is a low-hanging option that would move the company forward.
“Going forward, WeWork should consider revamping their infrastructure design and compliance initiatives to adhere to higher industry privacy standards, the way banks do, to avoid further reputational damage,” he said.
The lack of demand on Wall Street may have saved retail investors from holding the bag in a weakened IPO market, but members counting on WeWork to keep their company’s information secure should still be worried.
Photo by Eloise Ambursley on Unsplash
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
