Tech Data Corporation Left 264GB of Personal and Financial Information in an Unprotected Database
Some of you may be unfamiliar with the name Tech Data Corporation, but you are bound to have heard of its customers. Tech Data is a Fortune 500 company that supplies some of the world's biggest technology enterprises with a wide variety of IT products and services. It has annual revenues of close to $40 billion, and it works with the likes of Apple, Microsoft, Sony, LG, HP, Dell, Cisco, etc. You probably think that Tech Data would have no problems storing sensitive information correctly. We have some bad news for you.
Security experts Noam Rotem and Ran Locar were helping vpnMentor's research team do some port scanning when they stumbled upon a database that was left facing the internet without any form of protection. Rotem and Locar are no strangers to seeing treasure troves of information exposed in such a way. They knew almost immediately, however, that this time, the data leak was serious.
Big companies create big databases
The first thing that the researchers noticed was the size of the Elasticsearch database. It weighed in at 264GB which suggested that it most probably belongs to a big company. Sure enough, when they looked into it, they realized that it had been set up by Tech Data.
According to TechCrunch's Zack Whittaker, the exposed database was used by Tech Data's StreamOne cloud service, which apparently processes not only customers' personal and financial information, but also some backend logs and details.
It was so big that Rotem and Locar simply didn't have the time to thoroughly examine it. They shared a portion of the data with Zack Whittaker who found records of "tens of thousands" of customers, but this is hardly enough to give us an idea of how big the impact could be. Whittaker asked Tech Data for more information, and the company did acknowledge the incident, though it decided not to comment on the specifics. What we do know for sure is that the database contained a truly bewildering array of data.
Tech Data inadvertently exposed a huge amount of personal and business information
Tech Data's StreamOne stored a huge amount of Personally Identifiable Information (PII) about users, including names, email and physical addresses, telephone numbers, job titles, etc. The database also contained login credentials as well as credit card details and some invoicing information. All the data, with the exception of the card numbers, was stored in plain text.
As if that wasn't enough, the leaky database held information that Tech Data's competitors might certainly be interested in, including private API keys, IP addresses, and a variety of other backend details.
Rotem and Locar did credit Tech Data's security team for their relatively quick reaction. Although the company failed to respond to the researchers' initial alert on June 2, it replied two days later when the second call came in. Within hours, the database was taken offline, and it's been inaccessible ever since. Acting quickly in case of a data leak is indeed very important. That said, a company of Tech Data's caliber should have probably prevented the exposure from happening in the first place.