The Swiss-based data company Veeam exposed more than 445 million records when it used a misconfigured MongoDB hosted on Amazon Web Services that did not require any password to access.
The 200GB open database was discovered by independent security researcher Bob Diachenko on 5 September. Diachenko said he immediately tried to inform Veeam about the issue, but received no response and the database remained totally open until 9 September when it was locked down.
The information on the server spanned a four year period and was used by the company’s marketing team and included "the customer’s first and last name, email, email recipient type (end-customer or partner), country, attributes values (which in some cases have IP address, referrer URL address, user agent etc.), and customer organisation size (Enterprise (>5000), Commercial (500-5000), SMB (<500), ENT – Enterprise)," Diachenko wrote.
The data offered spammers a database cache of email address to work from and, he noted, the company was lucky not to be hit by the ransomware attacks that have been targeting MongoDBs, Diachenko said.
Industry insiders were aghast at Veeam’s apparent lack of insight into their security level and were quick to come up with a few recommendations that all companies using cloud services should implement.
"It defies belief that at a time when the issue of data privacy is uppermost in many people’s minds, companies are still showing a flagrant disregard for the security of our personal and sensitive information. The irony is that preventing these incidents is simple. The answer? Encrypt the data so no matter where it is – on an endpoint, data-centre or in the cloud – only those who are meant to see the data, see the data," Luke Brown, VP EMEA at WinMagic, told SC Media.
Anurag Kahol, CTO of Bit glass, said the human element has to be taken out of the loop when it comes to checking security as being too slow. He specifically cited signature-based anti-malware tools as being reactive because they require humans to identify new malware and include it in the predefined lists that they use to scan for threats.
"Like with any other cyber-security tool, automation is the name of the game. Relying upon humans to perform manual work (even at regular intervals) will always leave time and space for malicious individuals to attack the enterprise," he said.
Lacework CTO Vikram added that all this has to start at the top with an organisation thinking through what is needed and making sure everyone understands what has to be done.
"The one thing that protects you is proper policies, since misconfigured policies mean everybody has access. Organisations have to understand that without visibility into their environments, along with analysis that alerts to deviations from normal activity, they will be unable to identify and isolate possible holes in their infrastructure," he said.
SC Media has contacted, but not yet received a response, from Veeam for comment.