Dear Sir or Madame,We want to inform you in the sense of an open and transpa

1. Dear Sir or Madame,
2.  
3. We want to inform you in the sense of an open and transparent communication about a security advisory, we published to parts of our customers. Based on our analysis we did already inform all affected customers. If you did not get a direct contact earlier, you were not affected. Nevertheless it is important to us to inform you about the backgrounds of the story and our taken actions actions:
4.  
5.  
6. On October 22, 2024, we were informed of a vulnerability by an independent security researcher in a report to the LfDI BW. This vulnerability affected uploaded documents that can be added within a personnel file in the "Documents" tab (e.g. course certificates, certificates of participation, etc.). The cause was an update of infrastructure components that we carried out on October 12, 2024. The vulnerability arose because the update inadvertently activated a setting that is deactivated by default in our system. This meant that certain documents in the "Documents" area could be viewed by unauthorized third parties. However, access to them could only be achieved with extensive IT knowledge, the ability to create scripts, and only with the knowledge that there is a possible URL for public access.
7.  
8. It is important to us to make clear:
9.  
10. * The vulnerability only affected the fireplan desktop application and the data attachments added to it in the human resources area. Other areas, products or services of our company were and are not affected.
11. * Access was only possible during the specified period and under the conditions described above.
12. * Other areas of the personnel files or more sensitive data were never affected.
13.  
14. What we did:
15.  
16. * Immediate resolution: Within 30 minutes of the report, the Vulnerability completely closed.
17. * Analysis and information: We have analyzed exactly which customers were affected, and inform them individually immediately.
18.  
19. For the future:
20. We are very aware of the sensitivity and importance of your data. We have therefore reviewed and strengthened our internal update processes and security measures to prevent similar incidents in the future.
21.  
22. If you have any questions about this security alert or our actions, please do not hesitate to contact us.
23.  
24. We would like to once again expressly apologize to the affected customers for the situation that has arisen and thank you for your trust.
25.  
26. Best regards
27.  
28. Your fireplan team