GETTING AN EMAIL from security researchers must induce panic attacks in digital heads around the country. The latest to get the dreaded email is Fortune 500 technology giant Tech Data, which was informed by security researchers Noam Rotem and Ran Locar that the company's log management server was leaking personal data. Not a little data either: 264GB worth.
This data wasn't inconsequential: a sample seen by TechCrunch contained names, postal addresses, email addresses, job titles, invoicing data and receipts, as well as partial payment information like card type, cardholder names and expiry dates.
While the card numbers were obfuscated, the data wasn't encrypted, and it's possible there's more than this: going through an entire 264GB file is somewhat time-consuming, after all. The site did say the sample its reporters saw contained "tens of thousands of customers," and it was a fraction of the larger database.
This data was kept on a server for support agents to look at for troubleshooting purposes, but the company had neglected to put a password on it - meaning anybody with access to a web browser could look at the logs at will.
The leak was disclosed to Tech Data on 2 June,§ with the company responding with a fix two days later, which isn't too bad a turnaround time, even if the error itself is still hard to forgive.
"Within hours of learning of this, the security vulnerability was corrected, and the server was disabled," a Tech Data spokesperson told ZDNet.
"Based on what we know at this time, there is no evidence that the data stored on the affected server was misused for any unauthorised transactions or other fraud. We are continuing to investigate this incident and will satisfy all data reporting requirements, as needed."
The spokesperson added that no login information for accounts was stored on the server. That's the closest you're getting to good news in this story, so enjoy. µ
Slack, hack and crack
A flaw in the protocol affects iOS, macOS and Windows 10
Wig wearer has issue with non-wig-wearer