Hundreds of millions of customer records stored by a Swiss-based company were exposed to outside access after the company failed to secure a cloud database in which such records were stored.
Earlier this month, Bob Diachenko, a cyber security researcher specialising in investigating data breaches and responsible disclosure, recently observed that Veeam, a Swiss-based company that offers data backup, storage, and intelligent data management software, had left a 200GB database exposed to outside access.
Dischenko wrote in a blog post on the discovery that he took a look at the database after it was indexed by Shodan on August 31st. On September 5th, he observed the exposed database, noted its contents and subsequently, along with Zack Whittaker of TechCrunch, tried to contact the owners of the database as per responsible disclosure policies, but without much success. However, he noticed that on 9th September, the database had quitely vanished, suggesting that its owners had indeed taken action.
Veeam database contained over 445 million data records
The 200 GB database, according to Diachenko, contained a massive chunk of data that was being used by Veeam to communicate with their customers via a software firm named Marketo. It was hosted on Amazon’s cloud server and data stored in it was left publicly searchable and open until 9th September.
He added that the database contained a total of 445 million records that included people’ first and last names, their nationalities, email recipient status based on whether they were customers or partners, customer organisation size such as SMBs, commercial organisations employing between 500 and 5000 people, or enterprises hiring over 5000 people. Such data spanned a four-year period between 2013 and 2017.
“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers. It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs,” he noted.
The importance of securing your cloud database
Commenting on the exposure of the cloud database containing hundreds of millions of data records, Mike Schuricht, VP Product Management at Bitglass, said that identifying specific attack vectors like misconfigured, MongoDB databases is now a simple act for nefarious individuals.
“Organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Where data is publicly accessible because of misconfiguration of a service, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information.
“This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorised accesses, and encrypt sensitive data at rest. It could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks,” he added.
If Diachenko’s analysis claiming the exposure of 445 million records turns out to be accurate, this exposure could turn out to be larger than a similar breach in June that exposed up to 340 million individual records.
The exposure occurred when Exactis, a Florida-based marketing firm, left a cloud database open for public access that contained detailed information on 230 million people and 110 million U.S. business contacts, totaling up to 2TB of raw data. Similar to how Diachenko discovered the Veeam database exposure, the exposure of Exactis’ database was discovered by Vinny Troia, the founder of Night Lions Security, when he was searching for databases on Shodan.
“It seems like this is a database with pretty much every US citizen in it. I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” he told Wired.