A security breach at European data centre firm Interxion has exposed the contact details of thousands of its customers, although no financial information is thought to be involved.
Neither credit card details nor customer services were affected by last month’s security snafu, and only Interxion’s CRM system was affected, as the carrier-neutral colocation provider explained in and email to customers last weekend (extract given below):
Despite the multiple levels of protection in place, in December Interxion became aware that it had suffered a breach in our IT security.
The result of this was a temporary and localised compromise of the credentials to our CRM system, which resulted in the unauthorised access to some customer and prospect contact details.
The business contact information that was accessed consisted of names, job titles, and (business) contact details such as (business) email addresses and phone numbers.
No financial or other sensitive customer data was accessed, or is stored within this system. We emphasise that this incident only affected Interxion’s CRM system and did not impact or involve any of the data centres or services that Interxion provides.
No actions are required by you or any of our other customers and prospects regarding this incident.
El Reg learned of the breach from one of the customers who received the email, who has asked to remain anonymous. The main impact of the breach is in leaving business customers of the ISP exposed to greater risk from more convincing phishing scams, or other social engineering attacks, which might now feature genuine name, email and phone addresses.
A total of 23,200 customer records held on Interxion’s CRM have potentially been exposed by what the firm characterises as a vulnerability rather than a configuration error.
An Interxion spokesman told El Reg that the “vulnerability has been fixed and we have informed, where relevant, the appropriate authorities”.
“The incident did not impact or involve any of the data centres or services that Interxion provides,” he added. “The data compromised was that of our CRM system. The fields exposed were names, job titles, and contact details ... and no other contact information was compromised.” ®