More than 3 million records and 1.29 terabytes of data belonging to a prominent artificial intelligence startup have been found exposed on a misconfigured cloud storage system.

Discovered by security researcher Jeremiah Fowler and detailed by Website Planet, the unprotected database was allegedly found to belong to Builder.ai, an AI-powered software development platform provider that had raised $450 million in venture capital funding, including a round of $250 million in May 2023.

The exposed database contained a mix of sensitive and operational data that could put both Builder.ai’s clients and internal operations at risk.

Among the 3 million records was personally identifiable information such as names, email addresses, phone numbers and physical addresses. The database also included project details, including ongoing and completed software development plans, client interactions and timelines, which could expose intellectual property to malicious actors or competitors.

In addition to client data, the exposed database included internal communications between Builder.ai employees. According to Fowler, the emails and messages discussed client projects, operational challenges and confidential business strategies. The database also included financial records, including invoices and payment details, increasing the risk of fraudulent activities and financial exploitation.

The breach was attributed to a misconfigured cloud storage system that lacked adequate security settings, allowing unauthorized access. Builder.ai isn’t the first company to expose data this way and it won’t be the last, though a company with $450 million in venture capital should have processes in place to avoid such potentially dangerous data exposures occurring.

But although saying that Builder.ai should have known better, what comes next is just as worrisome. Fowler details how, despite sending multiple messages starting from Oct. 28 onward, the database remained exposed and accessible to all and sundry for almost a month. Builder.ai also knew the database was exposed, with an employee telling Fowler by email at one point that “unfortunately, it’s taking longer than we’d like due to some complexities with dependent systems” to get the database taken down.

Though Fowler doesn’t say which cloud provider the database was hosted on, if it was Amazon Web Services Inc., it takes maybe no more than 10 seconds to change read permission on AWS services such as S3.

Fowler does note that it’s not clear whether the database was owned and managed by Builder.ai directly or via a third party, but that a company like Builder.ai with a huge amount of VC funding couldn’t fix a simple security issue, either directly or with a third-party, raises questions.

The length of the exposure and that Builder.ai, which is based in the U.K., failed to take action when advised also raises legal questions under various privacy laws, including the U.K. Data Protection Act 2018, the original European Union General Data Protection Regulation and the complementary U.K. GDPR.

Image: SiliconANGLE/Ideogram