Veeam lost our customer records?

[omegagx]

How do I check if our records were included in this misconfigured DB that was open to the whole world? https://www.theinquirer.net/inquirer/ne ... aws-server

[Marten_med_e]

Another article about it.

https://www.scmagazine.com/home/news/ve ... s-exposed/

[omegagx]

Yeah, looks like it remained unsecured for 4 days after it was reported to Veeam.

[Gostev]

All - since the affected system does not belong to Veeam R&D, I cannot provide the detailed insight on this event. Nevertheless, I do very much apologize for this incident.

What I do know based on the internal communication is that this was a single marketing automation database that does NOT contain actual customer records (those are kept elsewhere). Only non-sensitive marketing information such as name, email address, and in some cases IP address and device ID. This database was possibly visible to outside third parties for a period of time, but it was never easily accessible - and based on the logs, we know the entire database was not compromised. We are in the process of notifying all of our customers and partners of the incident, regardless of if they may or may not be affected.

I will keep you posted if anything else material comes up on this topic.

[Gostev]

Here's the official word from our president > https://www.veeam.com/executive-blog/ve ... olved.html

[Gostev]

More comments from our president in this interview > https://www.theregister.co.uk/2018/09/1 ... follow_up/

[dwrandolph]

Sorry, but "name, email address, and in some cases IP address and device ID" does not count as "non-sensitive"! that is a lot of meta-data to tie other breaches together with.

[Gostev]

I am not an expert in this to argue. However, this specific snippet you're quoting was provided to me by our lawyers. So I assume there are actual legal definitions of what is considered sensitive vs. non-sensitive data that they relied upon, and these definitions may not match your or mine perception.

[dwrandolph]

Oh, the lawyers are involved, with their carefully chosen and limited definitions of terminology. Everything must be all right then. </sarcasm>

[bdufour]

thank you gostev for that clarification, as that was my assumption. it's not a shocker that lawyers would be involved in such matters. im not sure what else this guy wants out of this thread. i hope we can get past the mockery and sarcasm - as this is a technical forum.

[Gostev]

Thanks for understanding, Blake. I almost wish now this had something to deal with our R&D organization... because there's nothing worse for me than taking heat for something that happened in a different part of the organization, and not being able to respond in a meaningful way due to not being in the loop