adam121 - Fotolia
Cloud data management and backup vendor Rubrik left the door to one of its servers open, leaking Rubrik backup customer names, contact information and support interaction records.
The data was accessed by independent security researcher Oliver Hough, who said it wasn't protected by a password and was accessible to anyone who knew where to find the server. Hough said he discovered the unprotected server through the Shodan.io search engine, which indexes internet-connected devices and is a tool accessible to anyone -- including bad actors.
"Anyone who knew the IP of the database instance could access the data; no authentication was in place," Hough said. "Off the top of my head, [there was] 20 GB-plus, which was tens of thousands of support ticket entries, as well as some employee records, client email addresses and job titles -- though they do seem to have been careful to not include passwords."
'The world we live in now'
This lapse in security is rightfully a cause of concern for Rubrik backup customers, but George Crump, chief steward at analyst firm Storage Switzerland, said in the grand scheme of things, the data leak was not all that damaging. Crump said these sorts of human errors are a fact of life in the industry, and specifically called out a similar leak with Veeam last year. He said we will see more incidents like this in the future -- although probably not from Rubrik again anytime soon.
"Certainly Rubrik didn't do anything malicious. They had a human that made a human mistake," Crump said. "I don't want to make light of it, but it's just the world we live in now. If you're going to put anything on the cloud, you're vulnerable."
These sorts of mistakes will never be fully prevented, he said. The best lesson learned from this incident is that organizations must be more diligent not to leave data exposed, and customers need to be wary about the kind of data they submit to their vendors. For Crump, this problem was not specific to Rubrik, and any backup or IT vendor could have experienced this leak.
Christophe Bertrandsenior analyst, Enterprise Strategy Group
When asked for a statement, Rubrik directed SearchDataBackup to a post on its blog, which said the vendor changed the security level on the affected server within 30 minutes of being informed of the leak. The server was a sandbox environment for developing a new customer experience tool for Rubrik backup users. The environment defaulted to a lower security level than intended, and no one noticed, according to the blog post.
Christophe Bertrand, senior analyst at Enterprise Strategy Group, spoke with Rubrik after the incident. While the data leak concerned him, he learned the actual impact to Rubrik backup customers was minimal. Instead, Bertrand sees the vendor's quick response as a positive.
"We should look at what was really exposed, which was just a subset of [customer] data. Factually, I think there's been a minimal impact," Bertrand said. "I commend them for being upfront, open and responsive. They were trying to build a better customer experience, which is the irony."
Rubrik leak downplayed
While Rubrik was quick to plug the leak, Hough said Rubrik wasn't entirely transparent about the incident. Rubrik's original statement claimed no one but Hough accessed the server, but he claims that at least two others had a peek at it, as well.
"They played it down a little immediately, claiming that only I had accessed the data," Hough said. "But [another person] had also accessed the data, as well as another IP address they sent me asking if it was mine. They did not appear to have analyzed their logs very well."
Rubrik received $261 million in funding in mid-January 2019, just two weeks before this incident. However, Bertrand was quick to dismiss any notions that Rubrik is spending that money in the wrong areas or growing too fast.
"It could happen to anyone. I would not correlate this to growing too fast," Bertrand said. "The funding just shows the market is really hot."
As for possible punishment, neither Bertrand nor Crump are certain what will happen. Rubrik could be fined under the General Data Protection Regulation because the server did have European users' contact information, Crump said. He is certain that the data leak violates the California Consumer Privacy Act, which won't be enforced until 2020.
"So in theory, the EU could hit them with the fine of 4% of global revenue," Crump said. "I don't think there are any U.S. fines they have to worry about -- the California law isn't in effect yet."
The best move for Rubrik now, according to Crump, would be to make a transparency play. He said the vendor should inform the affected users about the data leak, provide updates as needed and then lie low.