Careless server configuration by Veeam exposed 200GB of data

Veeam, which specializes in data management related to the cloud, is the next company to expose consumer data by misconfiguring a cloud instance. It turns out that roughly 200 gigabytes of data from more than 440 million customers could be seen.

That’s what security researcher Bob Diachenko writes in a blog on LinkedIn. The leak was discovered in a MongoDB database hosted on Amazon Web Services. He discovered the data by means of a search in the Shodan search engine, which had indexed the data on 31 August. This means that others may have seen the data as well.

No private data

Diachenko states that he found the data on the 5th of September and immediately released an analysis on it. The server could be searched by anyone and was fully open until 9 September, after which it was made safe in silence. Before that time, he had already sent a number of messages to Veeam, according to his own statement.

The data that has been leaked is mainly related to marketing – this mainly includes e-mail addresses. It does not contain many sensitive personal data, but it does include business contacts that can be abused. In a statement, Veeam states that it has now refrained from ensuring that all the databases it manages are secure.

High growth

Last May, Veeam had 300,000 customers. Every day it receives 133 new ones; roughly 10,000 per quarter. Since the data that had been disclosed did not contain any personal or confidential information, there is little chance that those growth rates will suffer as a result.

Still, the leak is very annoying for Veeam. Most data leaks occur because malicious parties manage to capture passwords, or the security measures taken are quite moderate. But in this case this is not the case and simply not enough has been done to protect the data. So human error; and that’s exactly what’s most dangerous when it comes to security.