Security

Veeam holds its hands up, admits database leak was plain 'complacency'

Co-CEO: 'We should have done a better job'


Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses.

The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't password-protected – was left open for 13 days between 28 August and 10 September.

Security researcher Bob Diachenko discovered the resource and notified the storage and data management vendor. Once the data was hidden, the security researcher went public with his find, reporting that the 200GB database contained an eye-popping "445" million records.

Subsequent investigation by Veeam found that the marketing database actually contained 4.5 million unique records, many of which were replicated multiple times.

Diachenko said of the new number: "I can't really confirm or deny their revised figures, as in my researches I tend not to download the whole dump (at least, not in this case), so I did not have possibility to parse data for unique email addresses."

The firm has notified regulators internationally, as well as customers and partners, of the breach.

McKay said the lead generation (ie, sales prospect) database was set up four years ago but hadn't even been used for two-and-a-half years.

Back up a minute: Veeam database config snafu exposed millions of customer records

READ MORE

"We should have found it but this was an isolated incident," McKay insisted. When El Reg suggested that Veeam should be leading by example in backup security, McKay conceded. "We should have done a better job."

Can McKay rule out similar problems in future? He said human error could always reoccur. "Improvements are a continuing process," he said, adding that Veeam intended to use the incident as a "learning experience".

Veeam has behaviour-based data management systems in development and the vendor is not using it yet. When asked what advice he would give his peers on how to prevent such calamities, McKay had little to say beyond: "Don't get complacent."

Corporations leaving cloud-based MongoDB databases open for all to see, and discoverable using tools such as Shodan, are not a rare occurance. Cybercrooks have developed a scam that involves deleting the content of MongoDB databases before charging an extortionate fee for the safe return of data.

McKay had no comment on the technical question of whether there's anything in how MongoDB works that might merit security improvements. He said that whether or not Veeam might decide to migrate away from the NoSQL vendor is a tactical question for its techies. ®

Send us news
12 Comments

Record breach of French government exposes up to 43 million people's data

Zut alors! Department for registering and helping unemployed people broken into

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

Serial extortionist of medical facilities pleads guilty to cybercrime charges

Robert Purbeck even went as far as threatening a dentist with the sale of his child’s data

Stanford University failed to detect ransomware intruders for 4 months

27,000 individuals had data stolen, which for some included names and social security numbers

Nissan to let 100,000 Aussies and Kiwis know their data was stolen in cyberattack

Akira ransomware crooks brag of swiping thousands of ID documents during break-in

Swiss cheese security? Play ransomware gang milks government of 65,000 files

Classified docs, readable passwords, and thousands of personal information nabbed in Xplain breach

Japan orders local giants LINE and NAVER to disentangle their tech stacks

Government mighty displeased about a shared Active Directory that led to a big data leak

US accuses Army vet cyber-Casanova of sharing Russia-Ukraine war secrets

Where better to expose confidential data than on a dating app?

American Express admits card data exposed and blames third party

Don't leave home without … IT security

Air National Guardsman Teixeira to admit he was Pentagon files leaker

Turns out bragging on Discord has unfortunate consequences