264GB of customer data exposed by Fortune 500 company Tech Data
Security researches have found 264 gigabytes of data exposed on a server belonging to Tech Data Corp., a Fortune 500 information technology provider that provides services to some of the world’s largest companies.
Discovered recently by researchers Noam Rotem and Ran Locar at vpnMentor, the exposed data included email and personal user data, reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, client servers, invoices, SAP SE integrations and more.
The data in question came from a log management server that Tech Data had failed to secure with a password. Gaining access to the data did not require any difficulty, with anyone able to access it via a web browser.
Tech Data confirmed the data exposure, saying that they had “recently learned of a security vulnerability” and that “within hours of learning of this, the security vulnerability was corrected, and the server was disabled.” That claim, however, doesn’t match up with what the security researchers experienced. They say they informed Tech Data about the data exposure on June 2 and it took two days for the company to respond, including pulling the database offline.
“Based on what we know at this time, there is no evidence that the data stored on the affected server was misused for any unauthorized transactions or other fraud,” Tech Data told CRN. “We are continuing to investigate this incident and will satisfy all data reporting requirements, as needed.”
Chris DeRamus, chief technology officer and co-founder of cloud security firm DivvyCloud Corp., told SiliconANGLE that like many large companies, Tech Data was embracing self-service access to cloud services and software-defined infrastructure.
“Unfortunately, developers and engineers can often move too quickly and bypass critical security and compliance policies,” DeRamus explained. “The speed of workload deployment, rate of change and an increasing number of users can quickly overwhelm any company’s ability to keep corporate data secure and maintain compliance.”
Jonathan Bensen, chief information security officer at security firm Balbix Inc., said that in Tech Data’s defense, companies have a tough burden in having to monitoring all assets across hundreds of potential attack vectors continuously to detect vulnerabilities, often finding hundreds of vulnerabilities — more than they can tackle all at once.
“Fortune 500 companies like Tech Data, and other companies that house massive amounts of data must leverage artificial intelligence as a tool that can assist corporate security teams in monitoring for vulnerabilities,” Bensen noted. “The top AI-based security tools can automatically discover and monitor all IT assets across a broad range of attack vectors, prioritize remediations based on business risk and even implement automatic remediation workflows by integrating into enterprise ticketing and security orchestration systems.”
Ben Goodman, vice president of global strategy and innovation at identity management platform ForgeRock Inc., said that given that data contained not only personally identifiable information but also information around customer usage, the security risks are high.
“The downstream effect is not just the theft of this data, but this information can be used in highly targeted phishing attacks and the data can even be cross-referenced with previously pilfered information on the dark web to launch credential stuffing attacks and potentially gain access to much more sensitive financial, healthcare or even government-related accounts,” Goodman said. Not surprisingly, he advised that companies need to provide identity verification to put more barriers between the hacker and sensitive information.
Image: Tech Data
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU