Tech Data Fixes Leak That Exposed Reseller Payment Information: Report

Email and personal user data, reseller contact and invoice information, payment and credit card data, internal security logs, and unencrypted logins and passwords were leaked by Tech Data’s log management server, vpnMentor found.

ARTICLE TITLE HERE

Tech Data has fixed a “major” data leak that exposed payment, invoice, account and contact information for the company's reseller and MSP partners, according to a report on TechCrunch.

The Clearwater, Fla.-based IT distribution giant leaked some 264 gigabytes of client and employee corporate and personal data, providing access to Tech Data's client servers, invoices, SAP integrations and plain-text passwords, according to two vpnMentor security researchers.

vpnMentor said its researchers had discovered the data leak and reached out to Tech Data on Sunday, with Tech Data's team responding to a follow-up contact attempt and fixing the data leak on Tuesday. vpnMentor praised the "expertise and dedication" of the Tech Data team in handling news of the leak professionally and asking real questions to solve the problem.

id
unit-1659132512259
type
Sponsored post

Tech Data didn't respond to CRN requests for comment. CRN has reached out to vpnMentor for comment.

[Related: Wipro Breached, Used As Launching Point For Customer Attacks: Report]

Tech Data's Graylog log management server was leaking systemwide data, vpnMentor reported, including email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, and unencrypted logins and passwords.

The exposed server was running a database used for logging internal company events for its StreamOne cloud service, a multi-vendor marketplace for cloud services, according to TechCrunch, which spoke with the vpnMentor researchers and examined a portion of the leaked records.

The logging data contained error information that Tech Data staff can use to troubleshoot issues that arise when customers try to buy service online, TechCrunch said. But Tech Data didn't put a password on the server, TechCrunch said, meaning that anyone with a web browser could look over daily logs for the last several months. The database was pulled offline after disclosure by vpnMentor, TechCrunch said.

vpnMentor characterized the leak as 'serious' since all of the credentials needed to log in to customer accounts were available. A simple search of the exposed database turned up payment information, personally identifiable information, and full company and account details for end users and managed service providers such as a criminal defense attorney or utilities service provider, vpnMentor found.

The leak contained enough details for an adversary to easily access a user's account, and potentially even gain access to the associated permissions for said accounts, according to vpnMentor. The exposure left Tech Data vulnerable to threat actors looking to take control of the systems and exploit them with ransomware as well as competitors looking to gain an unfair advantage, vpnMentor said.

It's unclear exactly how many customer records were in the exposed Tech Data database, TechCrunch said. The portion of data obtained by TechCrunch contained information on tens of thousands of customers, but TechCrunch said the database was vastly bigger in size.

Some of the sensitive information available in the Tech Data data leak included: private API keys; bank information; payment details; usernames and unencrypted passwords; full names; job titles; email addresses; postal addresses; telephone numbers; and fax numbers, vpnMentor reported.

None of the data was encrypted except for obfuscated credit card numbers, TechCrunch found. The exposed records contained partial payment information, TechCrunch said, such as card type, cardholder names and expiration dates.

Machine and process information for clients' internal systems was also exposed, which vpnMentor said could help hackers find out more about the system and its mechanics. Due to ethical reasons and the size of the database, vpnMentor said it didn't go through the entire exposed database, meaning that additional sensitive information might have been available to the public.

vpnMentor found the data breach at Tech Data due to a huge web mapping project the website is currently undertaking, which involving the use of port scanning to examine known IP blocks. This can reveal gap in web systems, which vpnMentor said are then examined for vulnerabilities, including potential data exposure and breaches.

Once vpnMentor confirms the identity of the database, the organization said it reaches out to the database's owner to report the leak. Whenever possible, vpnMentor said it also alerts those who were directly affected. vpnMentor said security researchers Noam Rotem and Ran Locar were the ones to identify the Tech Data data leak.