Hacker says it accessed Bain’s internal AI tool using public code

In short: A hacker group called CodeWall says it accessed Bain & Co’s Pyxis platform by using a username and password it found in publicly available web code.

What's going on

CodeWall said it gained access to Pyxis, an internal Bain platform used by part of the firm’s private equity team. The tool helps staff review companies during due diligence, which is a close check of a business before an investment.

CodeWall said the key to getting in was simple, a username and password that had been written into public web code. Think of it like leaving a spare house key taped under the doormat, except the doormat was visible to anyone looking at the right web page.

The hacker said it was able to view nearly 10,000 conversations with Pyxis’s AI chatbot. CodeWall said these chats included questions from staff working with multiple Bain clients, including consumer brands asking about competitors. Pyxis analyzes large amounts of consumer transaction data that comes from a third-party supplier.

Bain said it immediately investigated after being alerted and brought in outside cyber security specialists. Bain said it quickly resolved the issue and added extra protections. The firm also said it disagreed with how CodeWall described the platform and the size of the problem.

What to watch

This comes after similar reported issues involving other major consulting firms, including McKinsey and Boston Consulting Group. The common thread is speed, as firms build and roll out more AI tools quickly, it can become easier to miss basic security steps. For clients and employees, the key question is how companies will prove these tools are locked down before they are widely used.

Source: Financial Times