Security Market Segment LS
Friday, 07 June 2019 10:36

Fortune 500 firm Tech Data leaks 264Gb of data online Featured

Fortune 500 firm Tech Data leaks 264Gb of data online Image by Hebi B. from Pixabay

Security researchers from virtual private network firm vpnMentor have found an unsecured server belonging to American multinational tech vendor Data Tech online, containing 264GB of data about its client servers, invoices, SAP integrations and plaintext passwords.

Noam Rotem and Ran Locar said in a blog post that more than one in four Fortune 500 companies had experienced a data breach in the last decade and thus Tech Data was "part of an elite, but particularly vulnerable, club".

Tech Data has been in business for 45 years and says it is "one of the world’s largest technology distributors. We help companies like HP, Apple, Cisco, Microsoft — and hundreds of others — bring their products to market, and we offer a wide range of technical and business support services".

The company claims to have more than 125,000 customers in more than 100 countries, with over 50,000 transactions every day. It is ranked 83 on the Fortune 500 list. Last year, its revenue amounted to US$37.2 billion, making it the second largest publicly traded company in Florida.

Rotem and Locar said they had discovered the leak on 2 June and tried to inform Tech Data about it the same day but could not make contact. They tried again a couple of days later and were successful. Tech Data fixed the unsecured server the same day.

The duo said they had found a log management server that was leaking system-wide data.

"This contained email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, and more," they wrote.

"This was a serious leak as far as we could see, so much so that all of the credentials needed to log in to customer accounts were available."

Some of the data included private API keys, bank information, payment details, usernames and unencrypted passwords.

Additionally personally identifiable information — full names, job titles, email addresses, postal addresses, telephone numbers and fax numbers — was visible.

Commenting on the leak, Chris DeRamus, chief technology officer and co-founder of IT governance firm DivvyCloud, said: "Like most Fortune 500 companies, Tech Data was embracing self-service access to cloud services and software-defined infrastructure. The speed and agility of these services is essential for companies seeking to gain and maintain a competitive edge.

"Unfortunately, developers and engineers can often move too quickly and bypass critical security and compliance policies. The speed of workload deployment, rate of change and an increasing number of users can quickly overwhelm any company’s ability to keep corporate data secure and maintain compliance."

DeRamus said Tech Data had housed this customer data so that its staff could efficiently troubleshoot issues that arose when customers tried to buy cloud services from its StreamOne cloud service.

"Unfortunately, forgetting to set a password on the server and failing to encrypt the data leaves the affected customers at risk of highly focused spear phishing or brute force campaigns," he said. "As a Fortune 500 company, Tech Data can face serious implications including decreased brand value, diminished shareholder trust, potential lawsuits and beyond."

While leaving servers unprotected seemed like a simple mistake to make, DeRamus said more and more companies suffered data breaches as the result of misconfigurations. "We read about them in the news almost every day – most recently [it was] JCrush.

"The truth is, organisations are lacking the proper tools to identify and remediate insecure software configurations and deployments. Automated cloud security solutions enable companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.”

Jonathan Bensen, the chief information security officer of cyber security provider Balbix, said digital transformation had led to an exponential increase in the size of the enterprise attack surface.

"That, coupled with the fact that 51% of organisations report a problematic shortage of cyber security skills, according to ESG’s annual survey, can result in data breaches due to misconfigurations and other poor security practices," he said.

"In Tech Data’s defence, companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once."

Bensen added that Fortune 500 companies like Tech Data, and other companies that housed massive amounts of data, must leverage artificial intelligence to assist corporate security teams in monitoring for vulnerabilities.

"The top AI-based security tools can automatically discover and monitor all IT assets across a broad range of attack vectors, prioritise remediations based on business risk and even implement automatic remediation workflows by integrating into enterprise ticketing and security orchestration systems," he said.

Contacted for comment, Tech Data External Communications director Bobby Eagle said: "Tech Data recently learned of a security vulnerability involving a server associated with our StreamOne marketplace. Within hours of learning of this, the security vulnerability was corrected, and the server was disabled.

"Based on what we know at this time, there is no evidence that the data stored on the affected server was misused for any unauthorised transactions or other fraud. We are continuing to investigate this incident and will satisfy all data reporting requirements, as needed.

"We do not store any credit card numbers or bank account details in the StreamOne marketplace. Importantly, no credentials necessary for logging into StreamOne or other Tech Data customer accounts were included on the server.

"While our investigation continues, we can advise that the server data may have included a combination of business data such as information found on a business card and certain other information, such as one-time-use credentials to activate a specific cloud service, and date and time of service activations.

"Tech Data takes the protection of our customers’, partners’ and employees’ data very seriously. As always, our focus is on maintaining data security and confidentiality."

Read 4761 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News