Veeam holds its hands up, admits database leak was plain 'complacency'
Co-CEO: 'We should have done a better job'
Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses.
The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't password-protected – was left open for 13 days between 28 August and 10 September.
Security researcher Bob Diachenko discovered the resource and notified the storage and data management vendor. Once the data was hidden, the security researcher went public with his find, reporting that the 200GB database contained an eye-popping "445" million records.
Subsequent investigation by Veeam found that the marketing database actually contained 4.5 million unique records, many of which were replicated multiple times.
Diachenko said of the new number: "I can't really confirm or deny their revised figures, as in my researches I tend not to download the whole dump (at least, not in this case), so I did not have possibility to parse data for unique email addresses."
The firm has notified regulators internationally, as well as customers and partners, of the breach.
McKay said the lead generation (ie, sales prospect) database was set up four years ago but hadn't even been used for two-and-a-half years.
Back up a minute: Veeam database config snafu exposed millions of customer recordsREAD MORE
"We should have found it but this was an isolated incident," McKay insisted. When El Reg suggested that Veeam should be leading by example in backup security, McKay conceded. "We should have done a better job."
Can McKay rule out similar problems in future? He said human error could always reoccur. "Improvements are a continuing process," he said, adding that Veeam intended to use the incident as a "learning experience".
Veeam has behaviour-based data management systems in development and the vendor is not using it yet. When asked what advice he would give his peers on how to prevent such calamities, McKay had little to say beyond: "Don't get complacent."
Corporations leaving cloud-based MongoDB databases open for all to see, and discoverable using tools such as Shodan, are not a rare occurance. Cybercrooks have developed a scam that involves deleting the content of MongoDB databases before charging an extortionate fee for the safe return of data.
McKay had no comment on the technical question of whether there's anything in how MongoDB works that might merit security improvements. He said that whether or not Veeam might decide to migrate away from the NoSQL vendor is a tactical question for its techies. ®
Sponsored: Becoming a Pragmatic Security Leader