back to article Who left a database of emails, credit cards, plain-text passwords, and more open to the web this week? Tech Data, come on down!

IT gear distributor Tech Data is the latest company to expose an insecure database, jam packed with personal and sensitive information, to the public internet for anyone to rifle through. A team at network security outfit vpnMentor was scanning cyber-space as part of a web-mapping project when they happened upon a Graylog …

  1. Bronek Kozicki
    Joke

    Should I hold my breath ...

    ... until they report themselves to ICO?

  2. elDog

    I'm absolutely sure that the tech giants have massive indemnity clauses

    written into their contract with Tech Data. Clauses that will protect the giants but not the consumers (products).

    In any case, misery loves company; so all of us should feel well loved.

  3. Pascal Monett Silver badge
    Trollface

    "The [..] company did not mention the incident in its most recent SEC filings"

    Ooh, that's a big no-no. You can apparently lie to Congress with impunity, but not mentioning a serious incident to SEC ? That's gonna hurt.

    1. J. Cook Silver badge

      Re: "The [..] company did not mention the incident in its most recent SEC filings"

      The PCI security standards council Might be interested as well, you lose your compliance certification and none of the payment processors will touch you with a ten foot pole...

  4. DrM

    Never ends

    http://bluephotons.com/

    1. Anonymous Coward
      Anonymous Coward

      Re: Never ends

      ¿Qué?

  5. Valeyard

    wheres the quote?

    I need to be reassured that my security and privacy is of upmost importance

    1. Bibbit

      Re: wheres the quote?

      Do not worry. They take their customers' security very seriously.

      1. Brian Miller

        Re: wheres the quote?

        They take their customers' security very seriously.

        Tequila!

        If security were a drinking game, all participants would end up with 0.9 blood alcohol content.

        1. stiine Silver badge
          Pint

          Re: wheres the quote?

          Oh, come on, we can all drink more than that.

  6. BebopWeBop
    Devil

    No matter how good your security and privacy controls are, they are typically no better than those of your (lowest cost) subcontractor

    1. Anonymous Coward
      Anonymous Coward

      "your (lowest cost) subcontractor"

      Stop pretending the expensive commissions you pay to third party sales people, management or shareholders will somehow result in better quality while they continue to use the cheapest resources available.

      Your suppliers will meet their contractual obligations. Experienced suppliers already have the get out of jail clauses included in the contracts. If your contracts don't clearly specify responsibility and how risk/damages will be assigned in the event of data loss, your company probably carries a significant proportion of the third parties risk.

      1. Doctor Syntax Silver badge

        "Experienced suppliers already have the get out of jail clauses included in the contracts."

        They may mitigate civil damages by passing them on to the customer but they can't override statutory requirements which will include criminal liability. In more enlightened jurisdictions consumer rights are also likely covered by statute, B2B less so.

  7. MachDiamond Silver badge

    Gift cards

    I think I'll just keep using gift cards when I need plastic money. Limiting in some ways, but losing one won't affect my credit or leave me liable for thousands in purchases I didn't make.

    1. TonyJ

      Re: Gift cards

      Pre-paid credit card topped up when needed.

      Kids' gaming consoles etc - buy a top up card in the supermarket.

      Pain in the backside sometimes and doesn't mitigate the whole username, passwords, emails, inside leg measurements issues but it is one less thing to worry about.

  8. Cuddles

    "Who left a database of emails, credit cards, plain-text passwords, and more open to the web this week?"

    Let's be honest, the real question these days is "Who didn't?".

    1. Dan 55 Silver badge

      Huawei, but according to GCHQ's big cheese they're "shoddy".

      This isn't shoddy, this is an open server.

  9. unimaginative

    Graylog requires users to login by default if you have your own install, and I imagine it is the same for their hosted service, so someone had to deliberately make it publicly accessible.

    1. sal II

      I bet it was only done "temporarily" to troubleshoot an issue etc. and never revisited again...

    2. Bendolfc

      Graylog does yes, but I would imagine that it wasn't Graylog that was open but the elasticsearch cluster that it was running off.

    3. Anonymous Coward
      Anonymous Coward

      And who exposes credit cards and plain-text passwords over the Internet?

      Someone (or more than one) who doesn't know what they were doing in an environment that doesn't have the necessary controls. This isn't just one thing wrong....everything appears to be wrong/bad practice.

      1. stiine Silver badge

        The alternatives are 1) they were hacked and since they aren't using a P2PE vendor, their card information was written to a database or 2) they have been writing card information to a database since before PCI and haven't been found out until now.

        1. Doctor Syntax Silver badge

          3) Marketing didn't like IT's attitude and rolled their own with a cloud vendor and a company credit card.

  10. adam payne

    Tech Data did not respond to a request for comment from The Register.

    What no stock statement to say that you take privacy and security seriously.

    Coloured be shocked.

  11. Roj Blake Silver badge

    Just US, or Everywhere?

    The article doesn't make it clear whether this is something that just affects TD's US operation, or whether it extends to other countries as well.

  12. clintos

    Too much information stored to protect

    I work for a large corporate company. They got hit by ransomeware a while ago. Too big for their boots and too many idiots working in IT, probably the same impact from this scenario. When I done server and network admin inhouse. I nailed everything to the floor, you got nothing, unless you give me a great reason for wanting access to it. Written in stone is good and signed by every pen pusher onsite.

  13. tentimes

    Buy it on the dark web for $5 a login/CC

    What people don't understand is that this type of stuff is permanently up for sale on the darknet for anyone that wants it. Netflix accounts, database dumps etc etc. The fact this is known about is the unusual bit. This is only the tip of a very big iceburg that most people just don't know about. I don't have any interest in buying this stuff, I just noticed it all up for sale when I was investigating (cough) the darknet.

  14. waldo kitty
    Holmes

    almost gotta wonder if they've done or are doing any forensics to find out if anyone outside has accessed the system(s) and if they've pulled data off... another question is how long was the system(s) open in this manner... when and why...

    1. Doctor Syntax Silver badge

      That might be information they really don't want to know.

  15. hatti

    Snafu

    Get ready for the "only a handful of customers appear to have been compromised" corporate statement

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like