Companies that talk about getting serious on security really need to start “walking the talk”. It’s quite ironic that we’ve had a number of major security issues or privacy breaches such as the Airbus data breach and Apple’s Facetime bug so close to Data Privacy Day. And these aren’t just small companies we’re talking about, but giants within their respective industries.
Within the same week, Rubrik, the cloud and data management giant, was hit with a massive data leak which has exposed the data (going back to October 2018) of all of the company’s corporate clients, including their names, contact information, support requests as well as setup and configuration details.
The leak is believed to have been caused by a misconfigured AWS Elasticsearch server, which held a database containing tens of gigabytes of data. Rubrik failed to follow its own security procedure, resulting in the data repository to be defaulted to a lower security access level. Since the server in question lacked any sort of password protection, as discovered by security researcher Oliver Hough, it was accessible to anyone who knew its location.
This should come as a blow (or at the very least, a huge embarrassment) for the company that specialises in providing cloud-first backup and recovery solutions for some of the biggest enterprises and organisations in the world – especially following Rubrik’s recent announcement that it’s expanding into providing security and compliance services as well.
Rubrik has had a bit of a meteoric rise since the company was founded in 2014. Its dynamic and innovative approach to a stagnant backup and recovery market has seen it become one of the fastest-growing unicorns in Silicon Valley and is now valued at US$3.3 billion.
Some of Rubrik’s biggest customers include the likes of the U.S. Department of Defense and Homeland Security, Shell, Deloitte, the UK’s National Health Service as well as the Scottish government.
Since the exposed database disclosed the company’s entire roster of corporate clients, some of whom are based in the EU, Rubrik will likely land in hot water with regards to the GDPR (which could cost Rubrik up to 4% of its annual worldwide turnover).
In response, Rubrik has stated that they “rectified this issue immediately” by rolling out multiple levels of approval and security reviews to prevent such a slip-up from reoccurring. According to a Rubrik spokesperson, no one else had access to the exposed customer-owned data other than the researcher who discovered the security issue. However, no evidence was given to support this claim.
The fact that the exposed server was indexed on Shodan, a search engine that lets users locate exposed (in other words, vulnerable) Internet-connected devices, means that it could have been discovered and accessed by anyone.
Security is supposed to be a strong suite for backup and data protection companies, so such a rudimentary slip-up would surely shake a little customer and public confidence in Rubrik’s capabilities and trustworthiness in keeping sensitive customer information safe.
This incident also highlights the growing complexity of operating within today’s cloud environment. This wasn't a case of a hack or targeted cyber attack, but simply a server misconfiguration issue. If it could happen to a tech giant like Rubrik, it could happen to any of today’s cloud-enabled organisations and potentially lead to dire consequences.