Cloud data management company Veeam Software Inc. is the latest of many companies to expose customer data via a misconfigured cloud instance, with 200 gigabytes of data relating to more than 440 million customer records found online.
Detailed by security researcher Bob Diachenko, the leak of the data was discovered on a MongoDB database installation hosted on Amazon Web Services instance.
Many data exposures in the past were discovered by security researchers specifically looking for them on AWS, but Diachenko’s discovery of the data came via a search of the Shodan search engine, which indexed the data on Aug. 31, meaning that it easily could have been found by others as well.
“I [came] across [the date] on September 5th and after quick data analysis I’ve been trying to responsibly disclose the information, without success,” Diachenko wrote. The “server was left publicly searchable and wide open until September 9th, when it was quietly secured after several notification attempts.”
The data is said to consist of marketing leads as opposed to sensitive personal information but did include business contact details that could be used for nefarious purposes.
In a statement, Veeam said that “it has been brought to our attention that one of our marketing databases [containing] a number of non-sensitive records (that is, prospect email addresses) was possibly visible to third parties for a short period of time,” and that they “have now ensured that all Veeam databases are secure.”
“Veeam takes data privacy and security very seriously, and a full investigation is currently underway,” the company added.
Although the incident is unfortunate, Veeam has been described previously by SiliconANGLE’s theCUBE as a standout company in virtual data backup and recovery.
As of May, Veeam had more than 300,000 customers and was adding 133 new customers per day or 10,000 per quarter. Given that the data exposed did not involve confidential information, it’s unlikely that it will affect those numbers going forward.
Jonathan Bensen, director of product management and acting chief information security officer at Balbix Inc., told SiliconANGLE that “leaving a database containing 440 million customer emails exposed without a password makes these bad actors’ lives even easier. When 81 percent of all breaches involve weak or stolen passwords (according to Verizon’s Data Breach Report of 2017), enterprises must achieve visibility into their password posture and be continuously vigilant in monitoring it to prevent major breaches such as this from occurring.”
Photo: Raysonho/Wikimedia Commons
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.
The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE: