IT gear distributor Tech Data is the latest company to expose an insecure database, jam packed with personal and sensitive information, to the public internet for anyone to rifle through.
A team at network security outfit vpnMentor was scanning cyber-space as part of a web-mapping project when they happened upon a Graylog management server belonging to Tech Data that had been left freely accessible to the public. Within that database, we’re told, was a 264GB cache of information including emails, payment and credit card details, and unencrypted usernames and passwords. Pretty much everything you need to ruin someone’s day (or year).
The exposure, vpnMentor told The Register today, is particularly bad due to the nature of Tech Data’s customers. The Fortune 500 distie provides everything from financing and marketing services to IT management and user training courses. Among the clients listed on its site are Apple, Symantec, and Cisco.
“This is a serious leak as far as we can see, so much so that all of the credentials needed to log in to customer accounts are available,” a spokesperson for vpnMentor told El Reg. “Because of the size of the database, we could not go through all of it and there may be more sensitive information available to the public than what we have disclosed here.”
In addition to the login credentials and card information, the researchers said they were able to find private API keys and logs in the database, as well as customer profiles that included full names, job titles, phone numbers, and email and postal addresses. All available to anyone who could find it.
vpnMentor says it discovered and reported the open database on June 2 to Tech Data, and by June 4 the distie had told the team it had secured the database and hidden it from public view. Tech Data did not respond to a request for comment from The Register. The US-based company did not mention the incident in its most recent SEC filings.
That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus?
Should the exposed information prove genuine and current, Tech Data would likely have a messy clean-up on its hands, given the sensitive nature of the information that it had exposed. In addition to the login credentials and bank details, the database is said to contain sensitive corporate information that could prove useful for rival businesses or hostile governments.
“As Tech Data is such a significant player in the industry, the exposed database leaves it vulnerable to competitors looking to gain an unfair advantage and for hackers to take control of the systems, exploiting it with ransomware and the like,” vpnMentor noted in its summary of the blunder.
If there is anything Tech Data can take heart in, it is the knowledge that the enterprise IT giant is far from alone in leaving its server open to the public internet. Individual researchers and security companies have made an entire industry out of crawling blocks of IP addresses to sniff out cloud instances and servers that have not been properly configured to limit access and as a result were left open to anyone who could connect.
The solution to the issue is rather simple; check your server configurations and make sure access is limiting strictly to authorized users. That is, admittedly, easier said than done in these days of exponential cloud growth and overextended admins. ®