Fortune 500 company leaked 264GB in client, payment data

Updated: The data leak impacted Tech Data’s client servers, SAP systems, and more.
Written by Charlie Osborne, Contributing Writer

A veteran Fortune 500 company has plugged a data leak which exposed 264GB in client and business data to the public.

Tech Data, an IT infrastructure company with over 45 years in the business and $37.2 billion in sales for the 2019 fiscal year, was the source of the leak, vpnMentor researchers Noam Rotem and Ran Locar said in a blog post on Thursday.

According to the team, a log management server was leaking system-wide information. After discovering the server through vpnMentor's web mapping project, the company took a sample of the leaked information, which was "a serious leak as far as we could see."

"With a simple search of the exposed database, our researchers were able to find the payment information, PII, and full company and account details for end-users and managed service providers (MSPs) -- including for a criminal defense attorney, a utilities service provider, and more," vpnMentor says.

See also: Massive Quest Diagnostics data breach impacts 12 million patients

Private API keys, bank and payment information, usernames and unencrypted passwords, and process information relating to Tech Data clients' internal systems and SAP builds were exposed.

In addition, the Personally Identifiable Information (PII) of employees was available, including their full names, job titles, email addresses, physical addresses, as well as telephone and fax numbers.

Reseller contact and invoice data, payment and credit card information, and internal security logs were also leaked.

Due to the 264GB size of the database, only a small sample was taken, and so other forms of information may have also been made public.

"There were enough details in this leak wherein a nefarious party could easily access users' accounts -- and possibly gain access to the associated permissions for said accounts," the researchers said.

TechRepublic: Windows 10 passwords won't expire: Why Microsoft says this will make your account safer

The exposed database was discovered on June 2, 2019, and Tech Data was informed on the same day. The Fortune 500 firm responded to vpnMentor requests on June 4 and on the same day the leak was fixed.  

In related news, last month vpnMentor researchers uncovered an unsecured database containing 85.4GB of security audit logs which appear to belong to Pyramid Hotel Group clients including Marriott, Sheraton, Plaza, and Hilton Hotel locations.

CNET: Scam artists reportedly stole $19 million worth of iPhones

While Pyramid would not confirm the company owned the server, shortly after private disclosure, access to the leaking database was revoked. 

Update 14.08 BST: A Tech Data spokesperson told ZDNet:

"Tech Data recently learned of a security vulnerability involving a server associated with our StreamOne marketplace. Within hours of learning of this, the security vulnerability was corrected, and the server was disabled.

Based on what we know at this time, there is no evidence that the data stored on the affected server was misused for any unauthorized transactions or other fraud. We are continuing to investigate this incident and will satisfy all data reporting requirements, as needed. 

We do not store any credit card numbers or bank account details in the StreamOne marketplace. Importantly, no credentials necessary for logging into StreamOne or other Tech Data customer accounts were included on the server."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards