UPDATED 22:43 EDT / SEPTEMBER 11 2018

CLOUD

Cloud data management firm Veeam exposes 200GB of data on AWS instance

Cloud data management company Veeam Software Inc. is the latest of many companies to expose customer data via a misconfigured cloud instance, with 200 gigabytes of data relating to more than 440 million customer records found online.

Detailed by security researcher Bob Diachenko, the leak of the data was discovered on a MongoDB database installation hosted on Amazon Web Services instance.

Many data exposures in the past were discovered by security researchers specifically looking for them on AWS, but Diachenko’s discovery of the data came via a search of the Shodan search engine, which indexed the data on Aug. 31, meaning that it easily could have been found by others as well.

“I [came] across [the date] on September 5th and after quick data analysis I’ve been trying to responsibly disclose the information, without success,” Diachenko wrote. The “server was left publicly searchable and wide open until September 9th, when it was quietly secured after several notification attempts.”

The data is said to consist of marketing leads as opposed to sensitive personal information but did include business contact details that could be used for nefarious purposes.

In a statement, Veeam said that “it has been brought to our attention that one of our marketing databases [containing] a number of non-sensitive records (that is, prospect email addresses) was possibly visible to third parties for a short period of time,” and that they “have now ensured that all Veeam databases are secure.”

“Veeam takes data privacy and security very seriously, and a full investigation is currently underway,” the company added.

Although the incident is unfortunate, Veeam has been described previously by SiliconANGLE’s theCUBE as a standout company in virtual data backup and recovery.

As of May, Veeam had more than 300,000 customers and was adding 133 new customers per day or 10,000 per quarter. Given that the data exposed did not involve confidential information, it’s unlikely that it will affect those numbers going forward.

Jonathan Bensen, director of product management and acting chief information security officer at Balbix Inc., told SiliconANGLE that “leaving a database containing 440 million customer emails exposed without a password makes these bad actors’ lives even easier. When 81 percent of all breaches involve weak or stolen passwords (according to Verizon’s Data Breach Report of 2017), enterprises must achieve visibility into their password posture and be continuously vigilant in monitoring it to prevent major breaches such as this from occurring.”

Photo: Raysonho/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU