The data management firm, Veeam, left a 200GB database defenceless and open to public query. 445 million customer records were stored in this database, including first and last name, email address, country of residence, IP addresses and more.
Veeam counts about 307,000 customers. Among them are Norwegian Cruise Line, Gatwick Airport, Scania, healthcare and educational institutions (several universities and school districts). IT security experts commented below.
Mike Schuricht, VP Product Management at Bitglass:
“Identifying specific attack vectors like misconfigured, MongoDB databases is now a simple act for nefarious individuals. Organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Where data is publicly accessible because of misconfiguration of a service, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorised accesses, and encrypt sensitive data at rest. It could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
Anurag Kahol, CTO at Bitglass:
“Data management companies simply must ensure that user information is protected and that regulatory demands are being addressed. For security debacles like Veeam’s (wherein a database containing 200 GB of customer information was exposed), failing to protect data can harm customers, damage a company’s reputation, lead to fines under various regulations, and, in some scenarios, cause an enterprise to fail entirely. This incident is a reminder that organizations handling sensitive customer data must remain vigilant in checking for misconfigurations, denying unauthorized access, and encrypting sensitive data.”
Jonathan Bensen, Director of Product Management/ Acting CISO at Balbix:
“Attackers are always lurking in the shadows with the intent to strike at the drop of a hat, and leaving a database containing 440 million customer emails exposed without a password makes these bad actors’ lives even easier. When 81 percent of all breaches involve weak or stolen passwords (according to Verizon’s Data Breach Report of 2017), enterprises must achieve visibility into their password posture and be continuously vigilant in monitoring it to prevent major breaches such as this from occurring.”
Luke Brown, VP EMEA at WinMagic:
“All incidents involving the careless handling of sensitive data must be treated seriously. It defies belief that at a time when the issue of data privacy is uppermost in many people’s minds, companies are still showing a flagrant disregard for the security of our personal and sensitive information. The irony is that preventing these incidents is simple. The answer? Encrypt the data so no matter where it is – on an endpoint, data-centre or in the cloud – only those who are meant to see the data, see the data.”