Veeam gaffe exposes over 445m customer records

By Dylan Bushell-Embling
Friday, 14 September, 2018

A massive database of over 445 million customer names and email addresses has been exposed online due to a security gaffe by backup and disaster recovery company Veeam.

Security researcher Bob Diachenko discovered the exposed database on a misconfigured MongoDB server. The 200 GB cache includes data collected over a four-year period between 2013 and 2017, and it is unclear how many records are duplicates.

According to Diachenko, the misconfigured server was left publicly searchable and accessible until 9 September, when Veeam was notified of the issue.

The collected information was being used by Veeam to reach out to customers using the Marketo marketing automation solution.

While there does not yet appear to be any evidence that the data was accessed by malicious third parties, Veeam has stated that it is conducting a deeper investigation into the gaffe.

Commvault Principal Architect Chris Gondek said the incident shows that every company is susceptible to data loss and breaches.

“The Veeam incident is unfortunate for a self-described intelligent data management company, but the reality is it could happen to any organisation. Rather than spread fear, uncertainty and doubt about a lack of capability, this incident should serve as a reminder to all organisations that data is an asset and a catalyst to many initiatives — and it must be protected,” he said.

“All organisations must be prepared for data loss scenarios or when, not if, it happens. Perimeter security is a prevention method, at best. Organisations need a proper data protection plan, with particular focus around recovery readiness and disaster recovery.”

Gondek added that the incident shows that it is time organisations hold businesses that deal in data to the same standard they would financial organisations.

“Take data found in the cloud: there is a perception that the cloud is more secure; that they’re the specialists and your data is not at risk. At the end of the day, your organisation is responsible for your data and information, irrespective of where you place it.”

Image credit: ©stock.adobe.com/au/weerapat1003

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.