ABBYY, the developer of optical character recognition and text-scanning software, left a server containing 142GB of a customer’s scanned documents exposed for anyone on the internet to access, no password required.
The AWS-hosted MongoDB server, accidentally left configured for public access, contained some 203,896 properly OCR’d contracts, non-disclosure agreements, memos, letters, and other sensitive documentation. TechCrunch reports that some of the exposed files date back as far as 2012.
The first ABBYY knew of the problem was when they were contacted by independent security researcher Bob Diachenko. As Diachenko explains in a LinkedIn post, he used the API of Shodan – a search engine that crawls the internet for connected devices – to discover the open accessible MongoDB installation, at which point in time he alerted ABBYY to the security issue.
A spokesperson for ABBYY was keen to describe the security breach as “a one-off incident” that “does not compromise any other services, products or clients of the company.”
The incident in question concerns one rather than several customers and files bearing commercial information. The customer has been duly notified and we are cooperating on corrective measures. As soon as [Diachenko] notified us we locked external access to the documents. We have made all the notifications that are legally required, have conducted a full corrective security review of our infrastructure, processes and procedures.
The name of the affected company has not been made public, but a glance at ABBYY’s website reveals that it has some well-known multinational organisations as customers.
ABBYY secured the data two days after they were notified by Diachenko.
Of course, it is good that the sensitive information is no longer publicly accessible, but we don’t know how long the data was available for or if anyone malicious might have used the same (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/ocr-abbyy-leaks-customer-mongodb-server-snafu/