News Hub

Rubrik reportedly leaks massive customer database

Written by Wed 30 Jan 2019

A server security lapse exposed a huge database of customer information belonging to Rubrik, an IT security and cloud data management giant, TechCrunch reports

The server was discovered by security researcher Oliver Hough, who found it was not password protected – essentially allowing anyone to rummage around inside if they knew where the server was located. As soon as TechCrunch alerted Rubrik – a database unicorn valued at $3.3 billion – it pulled the server offline.

Corporate data

The database was home to tens of gigabytes of customer information: names, contact details, as well as casework for each corporate customer, dating back to October 2018. It was running on a hosted Amazon Elasticsearch server.

It is the corporate portion of the data exposed that is the most alarming for Rubrik’s clients. According to TechCrunch it contained emails from customers including names, job titles and phone numbers, and sensitive information about customers’ set up and config.

Rubrik is one of the fastest growing storage and data management companies and boasts an A-list line up of corporate customers including Deloitte, Shell, the NHS and Homeland Security. Rubrik recently announced that it is moving beyond data management services into security and compliance services.

Speaking to TechCrunch a Rubrik spokesperson said the database represented a ‘sandbox environment containing a subset of our customer corporate contact information’, adding that the data was only briefly exposed and the issue rectified immediately.

Rubrik also claimed that other than the security researcher who discovered the issue no one else managed to get their hands on the data.

“We have traced the cause to human error, a default access setting was not changed per our standard practice. We have enacted changes to our processes to prevent this from happening again. Privacy and security is our top concern and we sincerely apologize for the mistake,” the spokesperson told TechCrunch.

Database vulnerabilities

The incident reflects a growing and worrying trend of unsecured databases being discovered and exposed. Rubrik’s server was indexed on Shodan, a search engine which makes exposed devices and databases easily discoverable and accessible.

Last September, backup and data recovery company Veeam was left red-faced after a security researcher found an exposed database containing more than 200 gigabytes of customer records.

As many EU customers were exposed in the Rubrik leak, it’s not just brand reputation that is on the line for Rubrik but regulatory fines of up to four percent of its annual turnover, now that GDPR is implemented.

Rick Campagna, CMO at cloud security company Bitglass told Techerati that it has become too easy for outsiders to find unsecured databases.

“Leaving a server publicly accessible is simply unacceptable.  Even smaller companies with limited IT resources must ensure that they are properly securing data.  Companies must realise that the implications failing to invest in their own cybersecurity readiness are wide-spread posing major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation,” he said.

Written by Wed 30 Jan 2019


database leak rubrik security server
Send us a correction Send us a news tip