Security researchers from virtual private network firm vpnMentor have found an unsecured server belonging to American multinational tech vendor Data Tech online, containing 264GB of data about its client servers, invoices, SAP integrations and plaintext passwords.
Noam Rotem and Ran Locar said in a blog post that more than one in four Fortune 500 companies had experienced a data breach in the last decade and thus Tech Data was “part of an elite, but particularly vulnerable, club”.
Tech Data has been in business for 45 years and says it is “one of the world’s largest technology distributors. We help companies like HP, Apple, Cisco, Microsoft — and hundreds of others — bring their products to market, and we offer a wide range of technical and business support services”.
The company claims to have more than 125,000 customers in more than 100 countries, with over 50,000 transactions every day. It is ranked 83 on the Fortune 500 list. Last year, its revenue amounted to US$37.2 billion, making it the second largest publicly traded company in Florida.
Rotem and Locar said they had discovered the leak on 2 June and tried to inform Tech Data about it the same day but could not make contact. They tried again a couple of days later and were successful. Tech Data fixed the unsecured server the same day.
The duo said they had found a log management server that was leaking system-wide data.
“This contained email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, and more,” they wrote.
“This was a serious leak as far as we could see, so much so that all of the credentials needed to log in to customer accounts were available.”
Some of the data included private API keys, bank information, payment details, usernames and unencrypted passwords.
Additionally personally identifiable information — full names, job titles, email addresses, postal addresses, telephone numbers and fax numbers — was visible.
Commenting on the leak, Chris DeRamus, chief technology officer and co-founder of IT governance firm DivvyCloud, said: “Like most Fortune 500 companies, Tech Data was embracing self-service access to cloud services and software-defined infrastructure. The speed and agility of these services is essential for companies seeking to gain and maintain a competitive edge.
“Unfortunately, developers and engineers can often move too quickly and bypass critical security and compliance policies. The speed of workload deployment, rate of change and an increasing number of users can quickly overwhelm any company’s ability to keep corporate data secure and maintain compliance.”
DeRamus said Tech Data had housed this customer data so that its staff could efficiently troubleshoot issues that arose when customers tried to buy cloud services from its StreamOne cloud service.
“Unfortunately, forgetting to set a password on the server and failing to encrypt the data leaves the affected customers at risk of highly focused spear phishing or brute force campaigns,” he said. “As a Fortune 500 company, Tech Data can face serious implications including decreased brand value, diminished shareholder trust, potential lawsuits and beyond.”
While leaving servers unprotected seemed like a simple mistake to make, DeRamus said more and more companies suffered data breaches as the result of misconfigurations. “We read about them in the news almost every day – most recently [it was] JCrush.
“The truth is, organisations are lacking the proper tools to identify and remediate insecure software configurations and deployments. Automated cloud security solutions enable companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.”
Jonathan Bensen, the chief information security officer of cyber security provider Balbix, said digital transformation had led to an exponential increase in the size of the enterprise attack surface.
“That, coupled with the fact that 51% of organisations report a problematic shortage of cyber security skills, according to ESG’s annual survey, can result in data breaches due to misconfigurations and other poor security practices,” he said.
“In Tech Data’s defence, companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once.”
Bensen added that Fortune 500 companies like Tech Data, and other companies that housed massive amounts of data, must leverage artificial intelligence to assist corporate security teams in monitoring for vulnerabilities.
“The top AI-based security tools can automatically discover and monitor all IT assets across a broad range of attack vectors, prioritise remediations based on business risk and even implement automatic remediation workflows by integrating into enterprise ticketing and security orchestration systems,” he said.
iTWire has contacted Tech Data for comment.