Data management software companies are mandatorily believed to be having perfectly capable of managing their own data. However, it turns out that some companies, the most popular ones too, struggle to do so.
The well-known cloud data management firm Veeam has been in the news lately for grave mismanagement of its customer data, something the company should have been apt at. Reportedly, Veeam’s lackluster security practices for its databases stored online have exposed hundreds of millions of marketing records.
It is indeed surprising that Veeam has suffered such massive data mismanagement as the company often brags about the high level of security that it provides to its customer data. The company claims to “anticipate the need and meet demand, and move securely across multi-cloud infrastructures.” Veeam has over 307,000 customers and most of these customers are from the Fortune 500.
An exposed database was identified by security researcher Bob Diachenko that contained over 200gb of customer data. This includes private and confidential information like names, email IDs, and IP addresses. This sort of data could prove to be a treasure trove for spammers and threat actors to carry out a variety of attacks including phishing.
Diachenko stated in his blog post that the database wasn’t secured with a password and hence, could have been accessed by anyone having an idea where to look.
The database includes two collections each having 199.1million and 244.4million personal records and email IDs respectively. The data is of customers who registered with Veeam between 2013 and 2017. Veeam was notified about the presence of an unprotected database, and the company took the server offline within three hours.
Veeam’s spokesperson Heidi Kroft stated in response to the incident that the company will conduct a “deeper investigation” and appropriate measures will be implemented according to the findings. The official statement from Veeam after being notified about the database read:
“It has been brought to our attention that one of our marketing databases [containing] a number of non-sensitive records (that is, prospect email addresses) was possibly visible to third parties for a short period of time.”
Diachenko states that the misconfigured MongoDB server hosted on AWS (Amazon Web Services) was indexed by the Shodan.io vulnerability scanner on August 31 and he was able to discover it on September 5. However, he also claims that the information was mainly used for marketing leads and not as sensitive but can potentially be exploited by phishers and spammers.