Security & Fraud

IT Giant Tech Data Left Personal Customer Information Unsecured

databaste security

Fortune 500 company Tech Data left a server with access to customer and billing data unsecured, and it was compromised by security researchers, according to a report by TechCrunch.

Researchers Noam Rotem and Ran Locar, from vpnMentor, discovered and reported the vulnerability. The server in question was operating a database that was used to log company events for its StreamOne Cloud service.

StreamOne sells cloud services to customers and vendors, and the server had error data that staff could use to troubleshoot when things went wrong.  

However, the server was not password-protected, so anyone with a browser could find the information, which included names, addresses and job titles, among other personal data.

“Tech Data – the 45-year-old veteran infrastructure solutions company working with vendors such as Apple, Cisco, Samsung, Symantec, et al — had a full database leak that seemed to affect much of the corporate and personal data of clients and employees,” the researchers wrote. “We saw that there was a log management server (Graylog) that was leaking system-wide data. This contained email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, and more.”

The only part of the data that was encrypted were credit card numbers. The database was very large, and the researchers also found private keys and some passwords.

Also included was machine and process information of clients’ internal systems, in which errors were available and that could easily help less-friendly hackers find out more about the system and its mechanics,” the researchers wrote.

The researchers reported the vulnerability to Tech Data, and they took it offline. Asked if it was going to tell customers about the security lapse, Tech Data didn’t respond to the news outlet about that specifically.

Tech Data spokesperson Bobby Eagle said, “Within hours of learning of this, the security vulnerability was corrected, and the server was disabled.”


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.