Rubrik Exposes Customer Data, May Face GDPR Fines


Rubrik, an IT security and cloud data management company, has suffered a massive data leak. The company pulled the server offline on Tuesday (Jan. 29) after being alerted to the leak, which was discovered by security researcher Oliver Hough. The exposed server wasn’t protected with a password.

The database, running on a hosted Amazon Elasticsearch server, held tens of gigabytes of data, including customer names, contact information and case work for each corporate client. Some of the database also included emails from corporate clients that contained an email signature with names, job titles and phone numbers, as well as some data with sensitive information about the customers’ setup and configuration.

Some of Rubrik’s biggest clients include the Scottish government, the U.S. Department of Defense and CarePoint Health. The exposed database revealed that Deloitte, Shell, Amalgamated Bank, the U.K. National Health Service and Homeland Security, and other federal government departments are also on its client roster.

“While building a new solution for customer support, a sandbox environment containing a subset of our [customers’] corporate contact information and support interaction data was potentially accessible for a brief period of time,” said a Rubik spokesperson. “We rectified this issue immediately.”

“We also confirmed that no customer-owned data was exposed,” the spokesperson noted, adding that “other than the security researcher who discovered this issue, no one has accessed this environment.” The company said it has traced the cause of the exposed server back to human error.

Rubrik didn’t say if it would notify its customers or state regulators, but there is a chance it might face fines related to GDPR, since European businesses were included in the leak. As a result, the company could be fined with penalties of up to 4 percent of its global annual revenue if found to be in breach of the EU’s data protection laws.