The company did not operate with industry’s best practices
It is very easy to assume that data management software companies are perfectly capable of managing their own information. However, it turns out that some companies, even the most popular ones, have difficulty doing this job. Veeam, a well-known cloud data management firm, has recently been struck by a serious failure to manage the data of its clients, a basic task for the company. As ethical hacking specialists report, Veeam’s insufficient security practices for its online stored databases have exposed hundreds of millions of marketing records.
In fact, it is surprising that Veeam has suffered a massive mismanagement of data, as the company often boasts of the high level of security it provides to its customers’ data. Veeam has more than 307k customers; many of these are leading companies.
The specialist in ethical hacking Bob Diachenko identified an exposed database containing more than 200GB of customer data. This includes private and confidential information such as names, email addresses, and IP addresses. This type of data could be a treasure for spammers and malicious agents to carry out various attacks, including phishing campaigns.
Diachenko stated in his report that the database was not protected with a password and therefore anyone with knowledge and dedication enough to find this data online could access it.
The database includes two collections, each with 199.1 million and 244.4 million of personal records and emails, respectively. The data correspond to customers who registered in Veeam between 2013 and 2017. Veeam was notified about the presence of the unprotected database, and the company disconnected the server in three hours.
Spokespersons for Veeam stated regarding the incident that the company will conduct a thorough investigation, in addition to the implementation of appropriate measures in accordance with the findings. In the official statement of the company can be read: “We have been informed that one of our marketing databases containing a number of non-confidential records (email addresses, for example) was possibly visible to third parties for a brief period of time”.
According to experts in ethical hacking from the International Institute of Cyber Security, leaked information could be used in aggressive advertising campaigns, as well as cyberattacks that exploit personal information, such as spear phishing.