Finally, a response that amounts to more than the nauseating cliche: "we take blah, blah, blah seriously"!
Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses. The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't …
Like the open and seemingly honest approaches - first, they clearly took seriously, and listened to, the guy who reported the problem and took swift action. Secondly they have put up their hands and admitted it was simple human error.
Never great it happens but... Kudos for the way they've responded.
We're good Peter... thanks for coming clean.
Dear Veeam community member,
Veeam is committed to maintaining the privacy and security of your personal information. For this reason, I am writing to personally notify you about a recent incident affecting one of our marketing databases. Because we value the importance of your privacy and information security, we are treating this matter very seriously.
We recently became aware that one of our marketing databases, which was not easily discoverable, may have been accessible to unauthorized third parties for a limited time due to human error. As soon as we validated the issue, we quickly secured that database. Once secured, we launched a full investigation into the scope of the incident, and took corrective measures to reduce the risk of future such incidents.
What information was involved?
The exposed database contained non-sensitive marketing records, such as name and email address, and in some instances IP addresses. It is possible that this information was visible to an outside third party for a limited time.
What actions were taken?
Veeam takes the privacy and security of your personal information seriously. As soon we validated the incident, we moved quickly to ensure the database was properly secured and to limit any further exposure. We are now actively investigating the matter to ensure that it does not happen again. As a company, we value honesty and openness, which is why I wanted to personally assure you that steps have been taken to prevent a similar issue from occurring in the future. We sincerely apologize for any stress or inconvenience this issue may have caused for you.
Please direct any questions to firstname.lastname@example.org. In addition, please use only your Veeam account page to adjust your contact information. Veeam will NOT ask you to update your information by email.
Thank you for being a valued business partner to Veeam.
President and Co-CEO
Was mentioned that I've been thinking about for quite awhile with all the reported leaks - including some important ones like credit agencies or OPM.
They never mention if the hacker modified the database, which as this article points out, is not hard at all if you have access - you needn't be so crass as to just delete the whole thing for ransom.
What if you had some other agenda - some version of "deep fakery" in mind. Screw up someone's credit rating or security clearance in a way that would be near impossible for them to dispute. Or, perhaps better - GIVE yourself a good rating in credit or security and pass yourself off as someone worth of tons of money or access to secrets.
It's interesting to me how silent the authorities are on this one...I didn't know there were that many crickets on the planet. It has to be a concern, else every security person having anything whatever to do with those outfits should be fired or maybe even tried in court.