Major Rubrik client data including NHS data exposed
Cloud security specialist Rubrik has suffered a major security breach after a misconfigured server revealed confidential client contact and configuration data, including Rubrik clients the NHS and the US’s Department of Homeland Security.
The California-based company’s server had not had password protection set up. It was discovered by security researcher Oliver Hough.
The server was indexed on Shodan, a search engine well known by threat actors as a source of exposed vulnerable devices and databases. Rubrik described the cache as “a sandbox customer support & success development environment containing a subset of our customer corporate contact information and support interaction data.”
While no-customer-owned data was exposed, that may be small comfort to those whose contact details and configurations were left wide open. The data was running on a hosted AWS Elastic Search server. The story was first reported by Techcrunch.
Rubrik Leak: Major Corporate Clients Exposed
The database is understood to have been insecure since late 2018 and part of it was dedicated to holding information for all of Rubrik’s corporate clients. The clients exposed on the database include Shell, Amalgamated bank and Deloitte.
Once in, the security researcher could access complete corporate client information such as emails with signature names, titles and phone contact details.
Some of the emails reviewed held sensitive information with regards to customers preferred configurations and setups.
Rubrik said in an incident response update: “Our investigation traced the cause to a developer error. The sandbox development data repository defaulted to a lower access security level and we failed to follow our standard security procedure to appropriately set the access control. To prevent this from happening again, we are rolling out stricter processes such as multiple levels of approvals and security reviews throughout the organization.”
“We apologize for this incident. We are very serious about safeguarding customer information, and this is clearly unacceptable to us. We are continuing to review the situation to improve our processes. We will update this blog if we find any new information.”
The cloud management and security enterprise has blamed human error for the security flaw, commenting that a default security setting was left in place and that this goes against all of their security practices.
Rubrik was recently valued at £2.5 billion after a series of successful funding rounds. The company has announced its intention to move into the security and compliance sector.
Bipul Sinha, Co-founder and CEO at Rubrik commented at the time: “This new capital will speed the introduction of exciting new products in 2019 that will solve those customer challenges and significantly expand our strategic footprint in the enterprise.”
In an emailed statement to Computer Business Review, Rich Campagna, CMO at Bitglass commented that: “It does not take much effort for outsiders to find unsecured databases and access sensitive information these days. This breach is a classic example of a simple security mistake resulting in massive amounts of customer data being exposed.”
“Leaving a server publicly accessible is simply unacceptable. Even smaller companies with limited IT resources must ensure that they are properly securing data. Companies must realise that the implications failing to invest in their own cybersecurity readiness are wide-spread posing major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation.”