Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Veeam holds its hands up, admits database leak was plain 'complacency'

Co-CEO: 'We should have done a better job'

Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses.

The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't password-protected – was left open for 13 days between 28 August and 10 September.

Security researcher Bob Diachenko discovered the resource and notified the storage and data management vendor. Once the data was hidden, the security researcher went public with his find, reporting that the 200GB database contained an eye-popping "445" million records.

Subsequent investigation by Veeam found that the marketing database actually contained 4.5 million unique records, many of which were replicated multiple times.

Diachenko said of the new number: "I can't really confirm or deny their revised figures, as in my researches I tend not to download the whole dump (at least, not in this case), so I did not have possibility to parse data for unique email addresses."

The firm has notified regulators internationally, as well as customers and partners, of the breach.

McKay said the lead generation (ie, sales prospect) database was set up four years ago but hadn't even been used for two-and-a-half years.

Man vs paperwork. Paper-pusher loses control. Photo by Shutterstock

Back up a minute: Veeam database config snafu exposed millions of customer records

READ MORE

"We should have found it but this was an isolated incident," McKay insisted. When El Reg suggested that Veeam should be leading by example in backup security, McKay conceded. "We should have done a better job."

Can McKay rule out similar problems in future? He said human error could always reoccur. "Improvements are a continuing process," he said, adding that Veeam intended to use the incident as a "learning experience".

Veeam has behaviour-based data management systems in development and the vendor is not using it yet. When asked what advice he would give his peers on how to prevent such calamities, McKay had little to say beyond: "Don't get complacent."

Corporations leaving cloud-based MongoDB databases open for all to see, and discoverable using tools such as Shodan, are not a rare occurance. Cybercrooks have developed a scam that involves deleting the content of MongoDB databases before charging an extortionate fee for the safe return of data.

McKay had no comment on the technical question of whether there's anything in how MongoDB works that might merit security improvements. He said that whether or not Veeam might decide to migrate away from the NoSQL vendor is a tactical question for its techies. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like