back to article ABBYY woes: Doc-reading software firm leaves thousands of scans blowing in wind

Document-reading software flinger ABBYY exposed more than 203,000 customer documents as the result of a MongoDB server misconfiguration. The AWS-hosted MongoDB server was accidentally left publicly accessible and contained 142GB of scanned documents including over 200,000 scanned contracts, memos, letters and other sensitive …

  1. Korev Silver badge

    And the customer's customers?

    It appears that ABBYY has acted reasonably responsibly*; I wonder if the customers whose data have been vulnerable have been informed by the unnamed third party?

    * Apart from allowing a DB 200k+ records to be misconfigured and left in a "public" place of course.

    1. GnuTzu

      Re: And the customer's customers? -- And Six Degrees Thereof

      Yup. X entrusts data to Y, who in turn entrusts it to Z, and so on, from cloud to cloud to cloud.

      And do the warranties of each match the security policies of each and are reasonably ensured at each point?

      Sigh.

  2. iron

    No data was lost to an unknown party during the exposure.

    Bull-fucking-shit. Since you had no access control you have no idea who accessed that data, it could have been downloaded by hackers 20,000 times for all you know.

    1. Anonymous Coward
      Anonymous Coward

      Re: No data was lost to an unknown party during the exposure.

      Perfect example of 'Brassing it out' !!!

      They cannot identify who accessed the data BUT can issue a 'reassurance' with impunity as equally no-one can prove any miscreant DID access it!!!

      They just need to keep a 'straight face' while looking 'concerned' !!!

      1. vtcodger Silver badge

        Re: No data was lost to an unknown party during the exposure.

        It's conceivable that they actually had access time logging turned on and thus could tell that no one had been reading the files. (What is the point of storing 203,000 files no one is looking at?)

    2. Mike 16

      Re: No data was lost to an unknown party during the exposure.

      You need to parse that in the lawyerese sense. Maybe data was lost, but they know who nicked it, so it was not lost to an unknown party. As to whether that "knowledge" is more detailed that "User A. Nony. Mouse at an IP address 'somewhere in China'", We'll never know. And more importantly, as others have noted, neither will the customers whose data went walkies.

  3. a_yank_lurker

    Configuring Databases

    It seems that too many do not take the time to properly secure their databases. While some dbs do try to get users to configure them correctly, the dbas should not assume they are properly secured until they have actually done the recommended steps in their entirety. Do not assume the db is secure by default, always assume it is insecure by default.

  4. Cowboy Bob

    Subnets

    On AWS it is trivial to configure private subnets and public subnets within your VPC leaving only the public subnets with access to the Internet gateway and the private subnets unroutable to from the outside world. In other words, standard networking isolation. If anyone installs a DB of any kind in a public subnet, they should be hauled over hot coals, slowly, before being thrown to a pack of rabid hyenas.

  5. Drew Scriver
    Facepalm

    "It's not lost - we still have the original files."

    No data was lost to an unknown party during the exposure.

    lost - lôst,läst

    1. unable to find one's way; not knowing one's whereabouts.

    2. denoting something that has been taken away or cannot be recovered.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like