Veeam holds its hands up, admits database leak was plain 'complacency'

Co-CEO: 'We should have done a better job'

12 Reg comments Got Tips?

Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses.

The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't password-protected – was left open for 13 days between 28 August and 10 September.

Security researcher Bob Diachenko discovered the resource and notified the storage and data management vendor. Once the data was hidden, the security researcher went public with his find, reporting that the 200GB database contained an eye-popping "445" million records.

Subsequent investigation by Veeam found that the marketing database actually contained 4.5 million unique records, many of which were replicated multiple times.

Diachenko said of the new number: "I can't really confirm or deny their revised figures, as in my researches I tend not to download the whole dump (at least, not in this case), so I did not have possibility to parse data for unique email addresses."

The firm has notified regulators internationally, as well as customers and partners, of the breach.

McKay said the lead generation (ie, sales prospect) database was set up four years ago but hadn't even been used for two-and-a-half years.

Man vs paperwork. Paper-pusher loses control. Photo by Shutterstock

Back up a minute: Veeam database config snafu exposed millions of customer records


"We should have found it but this was an isolated incident," McKay insisted. When El Reg suggested that Veeam should be leading by example in backup security, McKay conceded. "We should have done a better job."

Can McKay rule out similar problems in future? He said human error could always reoccur. "Improvements are a continuing process," he said, adding that Veeam intended to use the incident as a "learning experience".

Veeam has behaviour-based data management systems in development and the vendor is not using it yet. When asked what advice he would give his peers on how to prevent such calamities, McKay had little to say beyond: "Don't get complacent."

Corporations leaving cloud-based MongoDB databases open for all to see, and discoverable using tools such as Shodan, are not a rare occurance. Cybercrooks have developed a scam that involves deleting the content of MongoDB databases before charging an extortionate fee for the safe return of data.

McKay had no comment on the technical question of whether there's anything in how MongoDB works that might merit security improvements. He said that whether or not Veeam might decide to migrate away from the NoSQL vendor is a tactical question for its techies. ®


Keep Reading

Trump administration labels WeChat, TikTok ‘threats’ to national security, bans transactions with both

On grounds that they can track users, conduct corporate espionage and oppress Chinese-Americans

Microsoft confirms pursuit of TikTok after Satya Nadella chats to Donald Trump

‘Appreciates President Trump’s personal involvement’ and promises so much security, you’ll be tired of securing

Stop worrying – Larry Ellison and Prez Trump will have this whole coronavirus thing licked shortly with the power of data

Comment Revealed: Oracle founder's plan for global wellness

USA decides to cleanse local networks of anything Chinese under new five-point national data security plan

‘Clean Network’ initiative bans use of Chinese clouds, names Alibaba, Baidu, and Tencent as compromised

Tracking President Trump with cellphone location data, Greta-Thunberg-themed malware, SharePoint patch, and more

Roundup Including: Nasty Mac malware and gas-pump infections

Report: CIA runs secret cyberwar with little oversight after Trump gave the OK, say US government officials

Details start to emerge on real-world impact of Prez-signed secret memo

Confused why Trump fingered CrowdStrike in that Ukraine call? You're not the only one...

Security biz that probed 2016 DNC hack makes an odd cameo in revealed transcript

Coronavirus pandemic latest: Trump declares 'two very big words' – national emergency – and unexpectedly ropes in Google to help in some form

There'll be a website, at some point, that will work in some way, maybe

Biting the hand that feeds IT © 1998–2020