A Fortune 500 company has addressed a security weakness responsible for a data leak that exposed 264GB worth of information.
On 2 June, vpnMentor security researchers Noam Rotem and Ran Locar discovered that a log management server owned by global technology distributor Tech Data Corporation did not require any authentication. This made it possible for anyone to view the server’s data at the time of discovery.
Rotem and Locar took a look inside the server and found that it contained 264 gigabytes worth of corporate information as well as personal data including names, email addresses and private API keys. There was also exposed machine and process information of clients’ internal systems, data which digital attackers could have used to target customers.
In their analysis of this information, the researchers found that the level of risk extended beyond the threat of a competitor using the exposed server to gain a business advantage. As they wrote in a blog post:
With a simple search of the exposed database, our researchers were able to find the payment information, PII, and full company and account details for end-users and managed service providers (MSPs) – including for a criminal defense attorney, a utilities service provider, and more. There were enough details in this leak wherein a nefarious party could easily access users’ accounts – and possibly gain access to the associated permissions for said accounts.
Upon discovering the data leak, Rotem and Locar contacted Tech Data Corporation. The distributor responded within two days and fixed the leak that same day, a quick remediation time that prompted the researchers to praise the company for having acted “professional in handling news of the leak and [having] asked the real questions to solve the problem.”
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/fortune-500-company-addresses-weakness-behind-264gb-data-leak/