Ratmir Timashev (co-founder, Veeam)
News that Veeam left 445 million customer records on an open server from Amazon Web Services has created a feeding frenzy within the channel, spearheaded by industry rival Commvault.
The error was uncovered by security researcher Bob Diachenko, who found an exposed Veeam MongoDB containing 445 million records, equating to 200GB of data.
The exposed database contained information on marketing leads, including names and email addresses.
“Another week, another misconfigured MongoDB server incident,” wrote Diachenko, via social media. “This time, ironically, database appeared to be handled by Veeam, company that develops back-up, disaster recovery and intelligent data management software for virtual, physical and multi-cloud infrastructures.
"A 200-GB database included vast massives of data that is apparently used by Veeam marketing automation team to reach out to their customers using Marketo solution (Marketo is a software company focused on account-based marketing, including email, mobile, social, digital ads, web management, and analytics)."
After TechCrunch informed the vendor of the exposure, the publication said the server was "pulled offline within three hours”.
“The Veeam incident is unfortunate for a self-described intelligent data management company, but the reality is it could happen to any organisation,” said Chris Gondek, principal architect at Commvault.
“Rather than spread fear, uncertainty and doubt about a lack of capability, this incident should serve as a reminder to all organisations that data is an asset and a catalyst to many initiatives - and it must be protected.”
According to Gondek, all organisations must be prepared for data loss scenarios for "when, not if, it happens".
“Perimeter security is a prevention method, at best,” he added. “Organisations need a proper data protection plan, with particular focus around recovery readiness and disaster recovery.
“It’s also time organisations hold business vendors that deal in data to the same standards as you would financial institutions. Take data found in the cloud: there is a perception that the cloud is more secure; that they’re the specialists and your data is not at risk.
“At the end of the day, your organisation is responsible for your data and information, irrespective of where you place it.”
