[BreachExchange] Fortune 500 firm Tech Data leaks 264Gb of data online

Destry Winant destry at riskbasedsecurity.com
Tue Jun 11 00:41:30 EDT 2019


https://www.itwire.com/security/fortune-500-firm-tech-data-leaks-264gb-of-data-online.html

Security researchers from virtual private network firm vpnMentor have
found an unsecured server belonging to American multinational tech
vendor Data Tech online, containing 264GB of data about its client
servers, invoices, SAP integrations and plaintext passwords.

Noam Rotem and Ran Locar said in a blog post that more than one in
four Fortune 500 companies had experienced a data breach in the last
decade and thus Tech Data was "part of an elite, but particularly
vulnerable, club".

Tech Data has been in business for 45 years and says it is "one of the
world’s largest technology distributors. We help companies like HP,
Apple, Cisco, Microsoft — and hundreds of others — bring their
products to market, and we offer a wide range of technical and
business support services".

The company claims to have more than 125,000 customers in more than
100 countries, with over 50,000 transactions every day. It is ranked
83 on the Fortune 500 list. Last year, its revenue amounted to US$37.2
billion, making it the second largest publicly traded company in
Florida.

Rotem and Locar said they had discovered the leak on 2 June and tried
to inform Tech Data about it the same day but could not make contact.
They tried again a couple of days later and were successful. Tech Data
fixed the unsecured server the same day.

The duo said they had found a log management server that was leaking
system-wide data.

"This contained email and personal user data, as well as reseller
contact and invoice information, payment and credit card data,
internal security logs, unencrypted logins and passwords, and more,"
they wrote.

"This was a serious leak as far as we could see, so much so that all
of the credentials needed to log in to customer accounts were
available."

Some of the data included private API keys, bank information, payment
details, usernames and unencrypted passwords.

Additionally personally identifiable information — full names, job
titles, email addresses, postal addresses, telephone numbers and fax
numbers — was visible.

Commenting on the leak, Chris DeRamus, chief technology officer and
co-founder of IT governance firm DivvyCloud, said: "Like most Fortune
500 companies, Tech Data was embracing self-service access to cloud
services and software-defined infrastructure. The speed and agility of
these services is essential for companies seeking to gain and maintain
a competitive edge.

"Unfortunately, developers and engineers can often move too quickly
and bypass critical security and compliance policies. The speed of
workload deployment, rate of change and an increasing number of users
can quickly overwhelm any company’s ability to keep corporate data
secure and maintain compliance."

DeRamus said Tech Data had housed this customer data so that its staff
could efficiently troubleshoot issues that arose when customers tried
to buy cloud services from its StreamOne cloud service.

"Unfortunately, forgetting to set a password on the server and failing
to encrypt the data leaves the affected customers at risk of highly
focused spear phishing or brute force campaigns," he said. "As a
Fortune 500 company, Tech Data can face serious implications including
decreased brand value, diminished shareholder trust, potential
lawsuits and beyond."

While leaving servers unprotected seemed like a simple mistake to
make, DeRamus said more and more companies suffered data breaches as
the result of misconfigurations. "We read about them in the news
almost every day – most recently [it was] JCrush.

"The truth is, organisations are lacking the proper tools to identify
and remediate insecure software configurations and deployments.
Automated cloud security solutions enable companies the ability to
detect misconfigurations and alert the appropriate personnel to
correct the issue, and they can even trigger automated remediation in
real time.”

Jonathan Bensen, the chief information security officer of cyber
security provider Balbix, said digital transformation had led to an
exponential increase in the size of the enterprise attack surface.

"That, coupled with the fact that 51% of organisations report a
problematic shortage of cyber security skills, according to ESG’s
annual survey, can result in data breaches due to misconfigurations
and other poor security practices," he said.

"In Tech Data’s defence, companies are tasked with the hefty burden of
continuously monitoring all assets across hundreds of potential attack
vectors to detect vulnerabilities. Through this process, companies are
likely to detect thousands of flaws in their network – far too many to
tackle all at once."

Bensen added that Fortune 500 companies like Tech Data, and other
companies that housed massive amounts of data, must leverage
artificial intelligence to assist corporate security teams in
monitoring for vulnerabilities.

"The top AI-based security tools can automatically discover and
monitor all IT assets across a broad range of attack vectors,
prioritise remediations based on business risk and even implement
automatic remediation workflows by integrating into enterprise
ticketing and security orchestration systems," he said.

Contacted for comment, Tech Data External Communications director
Bobby Eagle said: "Tech Data recently learned of a security
vulnerability involving a server associated with our StreamOne
marketplace. Within hours of learning of this, the security
vulnerability was corrected, and the server was disabled.

"Based on what we know at this time, there is no evidence that the
data stored on the affected server was misused for any unauthorised
transactions or other fraud. We are continuing to investigate this
incident and will satisfy all data reporting requirements, as needed.

"We do not store any credit card numbers or bank account details in
the StreamOne marketplace. Importantly, no credentials necessary for
logging into StreamOne or other Tech Data customer accounts were
included on the server.

"While our investigation continues, we can advise that the server data
may have included a combination of business data such as information
found on a business card and certain other information, such as
one-time-use credentials to activate a specific cloud service, and
date and time of service activations.

"Tech Data takes the protection of our customers’, partners’ and
employees’ data very seriously. As always, our focus is on maintaining
data security and confidentiality."


More information about the BreachExchange mailing list