A Fortune 500 company has addressed a security weakness responsible for a data leak that exposed 264GB worth of information.
On 2 June, vpnMentor security researchers Noam Rotem and Ran Locar discovered that a log management server owned by global technology distributor Tech Data Corporation did not require any authentication. This made it possible for anyone to view the server's data at the time of discovery. Rotem and Locar took a look inside the server and found that it contained 264 gigabytes worth of corporate information as well as personal data including names, email addresses and private API keys. There was also exposed machine and process information of clients’ internal systems, data which digital attackers could have used to target customers. In their analysis of this information, the researchers found that the level of risk extended beyond the threat of a competitor using the exposed server to gain a business advantage. As they wrote in a blog post:
With a simple search of the exposed database, our researchers were able to find the payment information, PII, and full company and account details for end-users and managed service providers (MSPs) – including for a criminal defense attorney, a utilities service provider, and more. There were enough details in this leak wherein a nefarious party could easily access users’ accounts – and possibly gain access to the associated permissions for said accounts.
Upon discovering the data leak, Rotem and Locar contacted Tech Data Corporation. The distributor responded within two days and fixed the leak that same day, a quick remediation time that prompted the researchers to praise the company for having acted "professional in handling news of the leak and [having] asked the real questions to solve the problem." Bobby Eagle, a spokesman for Tech Data Corporation, told Bank Information Security that Tech Data Corporation has discovered no evidence of bad actors having abused the information stored on the exposed server to commit fraud. He went on to say that the company would continue with its investigation into the data leak and that it would abide by all necessary data reporting requirements going forward. News of this incident comes two months after researchers discovered several exposed servers containing 590 million resumes that belonged to Chinese recruitment firms
