An American IT Giant has fixed a “major” data leak that exposed payment, invoice, account and contact information for the company’s reseller and MSP partners. It wasn’t clear if it’s a hacking incident or malware-related intrusion.
The Clearwater, Fla.-based IT distribution giant leaked some 264 gigabytes of client and employee corporate and personal data, providing access to Tech Data’s client servers, invoices, SAP integrations and plain-text passwords, according to two vpnMentor security researchers.
vpnMentor said its researchers had discovered the data leak and reached out to Tech Data on Sunday, with Tech Data’s team responding to a follow-up contact attempt and fixing the data leak on Tuesday. vpnMentor praised the “expertise and dedication” of the Tech Data team in handling news of the leak professionally and asking real questions to solve the problem.
The logging data contained error information that Tech Data staff can use to troubleshoot issues that arise when customers try to buy service online. But Tech Data didn’t put a password on the server, TechCrunch said, meaning that anyone with a web browser could look over daily logs for the last several months. The database was pulled offline after disclosure by vpnMentor.
vpnMentor characterized the leak as ‘serious’ since all of the credentials needed to log in to customer accounts were available. A simple search of the exposed database turned up payment information, personally identifiable information, and full company and account details for end users and managed service providers such as a criminal defense attorney or utilities service provider, vpnMentor found.
The leak contained enough details for an adversary to easily access a user’s account, and potentially even gain access to the associated permissions for said accounts, according to vpnMentor. The exposure left Tech Data vulnerable to threat actors looking to take control of the systems and exploit them with ransomware as well as competitors looking to gain an unfair advantage, vpnMentor said.
It’s unclear exactly how many customer records were in the exposed Tech Data database, TechCrunch said. The portion of data obtained by TechCrunch contained information on tens of thousands of customers, but TechCrunch said the database was vastly bigger in size.
Some of the sensitive information available in the Tech Data data leak included: private API keys; bank information; payment details; usernames and unencrypted passwords; full names; job titles; email addresses; postal addresses; telephone numbers; and fax numbers.
Machine and process information for clients’ internal systems was also exposed, which vpnMentor said could help hackers find out more about the system and its mechanics. Due to ethical reasons and the size of the database, vpnMentor said it didn’t go through the entire exposed database, meaning that additional sensitive information might have been available to the public.
vpnMentor found the data breach at Tech Data due to a huge web mapping project the website is currently undertaking, which involving the use of port scanning to examine known IP blocks. This can reveal gap in web systems, which vpnMentor said are then examined for vulnerabilities, including potential data exposure and breaches.