Fortune 500 giant Tech Data exposed customer and billing data

Security researchers said a security lapse at IT giant Tech Data allowed them to access customer and billing data.

The Fortune 500 information technology giant secured an exposed server shortly after researchers Noam Rotem and Ran Locar found and reported the leaking data.

The server was running a database used for logging internal company events for its StreamOne cloud service, which let customers buy cloud services from a variety of providers and vendors. The logging data contained error data that Tech Data staff can use to troubleshoot issues that arise when customers try to buy service online.

But the tech giant did not put a password on the server, allowing anyone with a web browser to look over daily logs for the last several months.

Rotem and Locar shared their discovery exclusively with TechCrunch, and posted their findings.

TechCrunch also obtained a portion of the records, which we examined for authenticity.

The database contained an array of data, but we found large swathes of customer data, including names, postal addresses and email addresses, job titles and invoicing data and receipts. The records also contained partial payment information, such as card type, cardholder names and expiry dates.

Aside from obfuscated card numbers, none of the data was encrypted.

It’s not known exactly how many customer records are in the database. The portion of data we obtained contained data on tens of thousands of customers — but the database was vastly bigger in size.

Rotem and Locar said they also found private keys and in some cases passwords.

After a disclosure, the database was pulled offline. We sent Tech Data several questions — specifically if it plans to inform customers or regulators of the security lapse — but the company did not return our emails and follow-ups sent prior to publication.

After we published, spokesperson Bobby Eagle confirmed the exposure. “Within hours of learning of this, the security vulnerability was corrected, and the server was disabled,” he said. But the company did not answer our specific questions.

It’s the latest in a series of exposed databases found by the researchers in recent months.

Earlier this week, the researchers disclosed an open database exposing user records and private messages of Jewish dating app JCrush. Their previous findings include Canadian cell network Freedom Mobile and online retailer Gearbest.

Updated with remarks from Tech Data spokesperson. 

Read more: