Data management giant Rubrik leaked a massive database of client data in security lapse

A server security lapse has exposed a massive database of customer information belonging to Rubrik, an IT security and cloud data management giant.

The company pulled the server offline Tuesday within an hour of TechCrunch alerting the company, after the data was found by security researcher Oliver Hough. The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.

The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including customer names, contact information, and case work for each corporate customer.

It’s believed the data goes back to October 2018, according to timestamps found inside.

A portion of the database was dedicated to all of the company’s corporate clients, allowing its customers to interact with Rubrik staff with issues or complaints. This included the contents emails that had been ingested into the system from customers — including, in many cases, their email signature with names, job titles and phone numbers. From a cursory review, we also found some emails included sensitive information about that customers’ setup and configuration.

Each company record also includes descriptive profile information, such as if it’s a Global 2000 or a Fortune 500 ranked company to determine the importance of the account, as well as the go-to person’s name and phone number.

It’s somewhat ironic, given that the IT unicorn, valued at $3.3 billion, recently announced that it’s expanding into security and compliance services.

Ribrik has thousands of major clients, and publicizes big names such as the Scottish Government, the U.S. Department of Defense, and CarePoint Health, among others, on its website.

But the client database disclosed what appears to be the company’s entire roster of corporate customers, including Deloitte, Shell, Amalgamated Bank, the U.K. National Health Service, and Homeland Security and other federal government departments.

In remarks, Rubrik said it was investigating.

“While building a new solution for customer support, a sandbox environment containing a subset of our customer corporate contact information and support interaction data was potentially accessible for a brief period of time,” said a spokesperson for Rubrik. “We rectified this issue immediately.”

“We also confirmed that no customer-owned data was exposed,” the spokesperson added. The company also said that, “other than the security researcher who discovered this issue, no one has accessed this environment,” without providing evidence for that claim.

It’s not known who might have accessed it, but the exposed server was indexed on Shodan, a search engine for exposed devices and databases, making it easily discoverable and accessible.

“We have traced the cause to human error, a default access setting was not changed per our standard practice. We have enacted changes to our processes to prevent this from happening again. Privacy and security is our top concern and we sincerely apologize for the mistake,” the spokesperson said.

Rubrik didn’t say if it would notify its customers or state regulators, per data breach notification laws.

Given that European businesses are included in the exposed data, Rubrik could face financial penalties of up to four percent of its global annual revenue if found to be in breach of the EU’s recently implemented GDPR data protection rules.

Rubrik’s data exposure came just months after data management and backup rival Veeam exposed millions of email addresses in its own data exposure.