The data management firm, Veeam, left a 200GB database defenceless and open to public query. 445 million customer records were stored in this database, including first and last name, email address, country of residence, IP addresses and more.
Veeam counts about 307,000 customers. Among them are Norwegian Cruise Line, Gatwick Airport, Scania, healthcare and educational institutions (several universities and school districts). IT security experts commented below.
Mike Schuricht, VP Product Management at Bitglass:
“Identifying specific attack vectors like misconfigured, MongoDB databases is now a simple act for nefarious individuals. Organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Where data is publicly accessible because of misconfiguration of a service, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorised accesses, and encrypt sensitive data at rest. It could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
Anurag Kahol, CTO at Bitglass:
“Data management companies simply must ensure that user information is protected and that regulatory demands are being addressed. For security debacles like Veeam’s (wherein a database containing 200 GB of customer information was exposed), failing to protect data can harm customers, damage a company’s reputation, lead to fines under various regulations, and, in some scenarios, cause an enterprise to fail entirely. This incident is a reminder that organizations handling sensitive customer data must remain vigilant in checking for misconfigurations, denying unauthorized access, and encrypting sensitive data.”
Jonathan Bensen, Director of Product Management/ Acting CISO at Balbix:
“Attackers are always lurking in the shadows with the intent to strike at the drop of a hat, and leaving a database containing 440 million customer emails exposed without a password makes these bad actors’ lives even easier. When 81 percent of all breaches involve weak or stolen passwords (according to Verizon’s Data Breach Report of 2017), enterprises must achieve visibility into their password posture and be continuously vigilant in monitoring it to prevent major breaches such as this from occurring.”
“All incidents involving the careless handling of sensitive data must be treated seriously. It defies belief that at a time when the issue of data privacy is uppermost in many people’s minds, companies are still showing a flagrant disregard for the security of our personal and sensitive information. The irony is that preventing these incidents is simple. The answer? Encrypt the data so no matter where it is – on an endpoint, data-centre or in the cloud – only those who are meant to see the data, see the data.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.