Once again, a Fortune 500 company has proved how ignorant the corporate world remains regarding database security. Allegedly, the firm Tech Data leaked huge records online including customers personal and billing details.
Tech Data Exposed Sensitive Records
The researchers from vpnMentor, while continuing with their web mapping project, stumbled upon another security lapse. Allegedly, the duo, Noam Rotem and Ran Locar, found leaky servers exposing huge records online.
As explained in their blog post, they found client servers belonging to the firm “Tech Data” leaked 264GB of info. The information contained on the servers (and subsequently exposed) included detailed PII data and billing details of customers.
Elaborating their findings, the researchers stated,
We saw that there was a log management server (Graylog) that was leaking system-wide data. This contained email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, and more.
Specifically, this information included personally identifiable information such as names, email addresses, contact numbers, fax numbers, postal addresses, and job titles. Besides, the other exposed details included usernames and passwords in plain text, bank information, payment details, and private API keys.
Moreover, the leaked details also included some information regarding clients’ systems that could allow hackers find further data.
Security Lapse Rectified
Commenting on the dangers associated with this security lapse, the researchers said:,
There were enough details in this leak wherein a nefarious party could easily access users’ accounts – and possibly gain access to the associated permissions for said accounts. As Tech Data is such a significant player in the industry, the exposed database left it vulnerable to competitors looking to gain an unfair advantage and for hackers to take control of the systems, exploiting it with ransomware and the like.
The researchers spotted this breach on June 2, 2019, and informed the firm of the mater the same day. Fortunately, after two days, they could confirm that Tech Data fixed the matter. They also appreciated the promptness of the firm in handling the matter.