It turns out WeWork’s dicey wifi problem is exactly as bad as suspected.
Just a month after a report surfaced alarming security risks associated with the wifi offered at WeWork locations, an investigation from CNET has illustrated just how serious those security holes can be. The outlet reported it was able to review wifi scans from hundreds of exposed devices that laid bare an “astronomical amount” of private data, including emails, financial records, and client databases as well as scans of people’s IDs, their bank account credentials, and other sensitive information. It even turned up a birthday card sent over WeWork’s network that depicted Nicolas Cage’s face edited to make him look like a cat.
The data was accessed through wifi scans performed by Teemu Airamo, the head of digital media company Viveca Media, who told CNET he’s been flagging the issue to WeWork for years to no avail. Airamo, who operates his business out of a WeWork in Manhattan, reportedly runs regular scans to verify whether WeWork has updated its security protocols. While he told the outlet that he has no malicious intentions for doing so, it shows that a bad actor could easily do the same.
“There’s happenings of all kinds in the building, financial companies, companies left and right in different industries,” Airamo told CNET. “We have, inside this building, a number of financial companies, we have legal companies, and we have some random telemarketers.”
CNET reported that it identified two loan companies for which sensitive data, including bank account information, was exposed over WeWork’s wifi network. (CNET said it withheld their names in the report as the data was still accessible.) It also identified two other businesses, insurance company Axa XL and London-based recruitment outfit Hanover Search Group, as having had sensitive documentation exposed over WeWork’s network.
Hanover Search Group did not immediately return a request for comment. A spokesperson for Axa XL told Gizmodo in a statement by email that it has “a rigorous vendor management program in place that includes vetting cybersecurity protocols. Effective cyber security requires continuous improvements and we are reviewing this matter.”
The investigation into WeWork’s shoddy wifi security protections follows an August report from Fast Company surfacing myriad risks that included outdated wifi technology and poor password protocol. The report found that WeWork not only used easy-to-guess passwords for network access but also used the same wifi password for multiple WeWork locations.
CNET reported that not only were multiple WeWork outposts in California and New York using the same wifi password for different locations, the company also displays the network password in plain text on its app. As CNET noted, WeWork offers day passes that could offer a hacker with the right access a kind of data buffet.
Reached for comment, a spokesperson for WeWork told Gizmodo in a statement by email that it “takes the security and privacy of our members seriously and we are committed to protecting our members from digital and physical threats.”
“In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID or a dedicated end-to-end physical network stack,” the spokesperson added. But as CNET notes, those extra—and needed—security measures don’t come cheap. The private VLAN, for example, costs a monthly fee of $95 on top of a setup fee of $250.
The spokesperson said that WeWork could not comment beyond the provided statement, citing a “quiet period” ahead of its IPO—which might be normal if the IPO hadn’t been postponed this week over concerns about WeWork’s valuation and leadership. (WeWork also cited its supposed quiet period on Wednesday when it declined to comment on the absolutely batshit Wall Street Journal profile of its CEO Adam Neumann.)
You would think that an organization that fancies itself a tech company would invest even a modicum of effort into improving its password protocols—at the absolute very least—and you’d certainly hope this is the case for a company hemorrhaging billions of dollars. But, given that it is not, the best option for folks who aren’t interested in coughing up hundreds of dollars for a private VLAN or any of the other pricey alternatives that WeWork offers is to invest in a VPN for when you’re using public wifi.
Maybe, if you’re lucky, this company might eventually get its shit together.