It's Shodan embarrassing: Red-faced Rubrik blames public-facing DB on developer ballsup
Sandbox test environment door left wide open
Rubrik has fingered one of its developers after a database packed with customer information was left exposed. Security researcher Oliver Hough spotted the database, which apparently was not protected by a password.
Rubrik shut the door after it was informed of the breach earlier this week.
The firm told The Register that the luckless developer had been working on a way to "improve a Rubrik customer's experience" – although it didn't specify what this was – when they achieved the opposite, thereby exposing a database of corporate customers' names, contact details and support interactions with Rubrik on the DB, which is said to have been hosted on an Amazon server.
Rubrik co-founder and CTO Arvind Nithrakashyap blogged on Tuesday: "A sandbox customer support and success development environment... was inadvertently left accessible for a brief period of time. We investigated and rectified the issue immediately. We have confirmed that no customer-owned data was exposed."
The developer failed to set the right access control level to the database and the default setting left it open to external access. Rubrik claimed no customer-owned data had been exposed – although we understand the DB was indexed on the Shodan search engine, meaning others could have spotted it – and said it had set up stricter processes and security reviews.
Customers of copy data managers such as Actifio and Delphix might wonder why a database copy with sensitive data masked out wasn't used by Rubrik's developer, or indeed, why the server was public-facing at all.
Jeff Williams, CTO and co-founder of Contrast Security, offered his thoughts: "I think the lesson is that you can never leave configuration up to humans."
He added that security in such matters should be automated: "The real lesson... is that by turning security into code, it can be built, tested, and managed in a completely automated fashion. To the maximum extent possible we have to get the humans out of the loop. We'll never stamp out all errors, but this is basic blocking and tackling... We can't afford to get burned by the simple stuff."
Too right. ®
Sponsored: Becoming a Pragmatic Security Leader