Veeam gaffe exposes over 445m customer records


By Dylan Bushell-Embling
Friday, 14 September, 2018


Veeam gaffe exposes over 445m customer records

A massive database of over 445 million customer names and email addresses has been exposed online due to a security gaffe by backup and disaster recovery company Veeam.

Security researcher Bob Diachenko discovered the exposed database on a misconfigured MongoDB server. The 200 GB cache includes data collected over a four-year period between 2013 and 2017, and it is unclear how many records are duplicates.

According to Diachenko, the misconfigured server was left publicly searchable and accessible until 9 September, when Veeam was notified of the issue.

The collected information was being used by Veeam to reach out to customers using the Marketo marketing automation solution.

While there does not yet appear to be any evidence that the data was accessed by malicious third parties, Veeam has stated that it is conducting a deeper investigation into the gaffe.

Commvault Principal Architect Chris Gondek said the incident shows that every company is susceptible to data loss and breaches.

“The Veeam incident is unfortunate for a self-described intelligent data management company, but the reality is it could happen to any organisation. Rather than spread fear, uncertainty and doubt about a lack of capability, this incident should serve as a reminder to all organisations that data is an asset and a catalyst to many initiatives — and it must be protected,” he said.

“All organisations must be prepared for data loss scenarios or when, not if, it happens. Perimeter security is a prevention method, at best. Organisations need a proper data protection plan, with particular focus around recovery readiness and disaster recovery.”

Gondek added that the incident shows that it is time organisations hold businesses that deal in data to the same standard they would financial organisations.

“Take data found in the cloud: there is a perception that the cloud is more secure; that they’re the specialists and your data is not at risk. At the end of the day, your organisation is responsible for your data and information, irrespective of where you place it.”

Image credit: ©stock.adobe.com/au/weerapat1003

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related Articles

Measuring inefficiency

With a view to improving my 'leanness' and stop myself working so many extra hours, I...

Cybersecurity advice in the wake of Ukraine

In light of the current situation in Ukraine, the ACSC is urging all Australian organisations to...

Why major IT changes can wait

Attempting major IT changes late in the day — or week — can be a recipe for disaster.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd