The data management firm, Veeam, left a 200GB database defenceless and open to public query. 445 million customer records were stored in this database, including first and last name, email address, country of residence, IP addresses and more.
Veeam counts about 307,000 customers. Among them are Norwegian Cruise Line, Gatwick Airport, Scania, healthcare and educational institutions (several universities and school districts). IT security experts commented below.
Mike Schuricht, VP Product Management at Bitglass:
“Identifying specific attack vectors like misconfigured, MongoDB databases is now a simple act for nefarious individuals. Organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Where data is publicly accessible because of misconfiguration of a service, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorised accesses, and encrypt sensitive data at rest. It could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
Anurag Kahol, CTO at Bitglass:
“The Atlas Quantum data breach suggests that crypto services remain a high-profile target for hackers. Even those who do not actively use the platform to store or invest in crypto may have had their personal data exposed.
For companies like Atlas, that store mass amounts of user data, reputation and user data security are closely tied. Quickly identifying the cause of this breach and mitigating the threat of further data loss is a critical next step for Atlas and prevention should be top of mind for all companies that store high-value data.”
Jonathan Bensen, Director of Product Management/ Acting CISO at Balbix:
“Attackers are always lurking in the shadows with the intent to strike at the drop of a hat, and leaving a database containing 440 million customer emails exposed without a password makes these bad actors’ lives even easier. When 81 percent of all breaches involve weak or stolen passwords (according to Verizon’s Data Breach Report of 2017), enterprises must achieve visibility into their password posture and be continuously vigilant in monitoring it to prevent major breaches such as this from occurring.”
Luke Brown, VP EMEA at WinMagic:
“All incidents involving the careless handling of sensitive data must be treated seriously. It defies belief that at a time when the issue of data privacy is uppermost in many people’s minds, companies are still showing a flagrant disregard for the security of our personal and sensitive information. The irony is that preventing these incidents is simple. The answer? Encrypt the data so no matter where it is – on an endpoint, data-centre or in the cloud – only those who are meant to see the data, see the data.”