Tech Data Says It Has Closed Off StreamOne Data ExposureResearchers Say Logging Server Left Online Without Authentication
Tech Data Corp., one of the largest distributors of hardware, software and software management services, says it has disabled a logging server used for its StreamOne cloud services marketplace after a data exposure.
Researchers Noam Rotem and Ran Locar found the server was open online and did not require authentication. StreamOne is a Tech Data service designed to let cloud service resellers quickly provision and manage cloud subscriptions for their end users. TechCrunch first reported the exposure, which Tech Data says was ended within hours of it being notified.
Tech Data, based in Clearwater, Fla., has a diverse business and is a Fortune 500 company. The company, which has 14,000 employees, recorded $36 billion in net sales in 2018.
What Was Exposed?
Rotem and Locar, who blog for the company vpnMentor, write that the log management server contained personal data, email addresses, reseller contact and invoice information, payment and credit card data, internal security logs as well as unencrypted logins and passwords.
Tech Data says the log server was used to capture and store temporary information for diagnostics and troubleshooting of the StreamOne marketplace. Tech Data spokesman Bobby Eagle says the description of the information exposed is inaccurate, as the server did not contain payment card numbers or bank account details. TechCrunch reports that the payment card numbers were obfuscated.
"In addition, credentials, including passwords, necessary for logging into StreamOne or other Tech Data customer accounts were not included on the impacted server."
—Bobby Eagle, Tech Data
“In addition, credentials, including passwords, necessary for logging into StreamOne or other Tech Data customer accounts were not included on the impacted server,” Eagle says.
Rotem and Locar write that the log server comprised 264 GB if data, although they did not analyze all of it. But they allege that the exposure did reveal sensitive information that could be of use to attackers.
“With a simple search of the exposed database, our researchers were able to find the payment information, PII, and full company and account details for end-users and managed service providers (MSPs) – including for a criminal defense attorney, a utilities service provider, and more,” they write. “There were enough details in this leak wherein a nefarious party could easily access users’ accounts – and possibly gain access to the associated permissions for said accounts.”
Tech Data says, however, that no credentials for logging into either StreamOne or Tech Data customer accounts were exposed.
“While our investigation continues, we can advise that the server data may have included a combination of business data such as information found on a business card and certain other information, such as one-time-use credentials to activate a specific cloud service, and date and time of service activations,” Eagle says.
Tech Data: No Fraud Yet
Despite the apparent discrepancies over what was exposed, Rotem and Locar – who have a noted record tracking down insecure servers – complimented Tech Data on its quick response (see Canadian Mobile Provider Exposed Payment Card Numbers).
“It’s worth noting that Tech Data’s team was very professional in handling news of the leak and asked the real questions to solve the problem,” the researchers write. “We commend their expertise and dedication.”
So far, Eagle says there’s “no evidence that the data stored on the affected server was misused for any unauthorized transactions or other fraud.”
“We are continuing to investigate this incident and will satisfy all data reporting requirements, as needed,” Eagle says.