Data-management firm Veeam reportedly mismanages data, exposes customer info

A Swiss company leaves 440 million customer records open to prying eyes, according to a report.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Sean Keane
2 min read
Apple one percent up, Irish to set tax deal
Getty Images

A Swiss data management company may've dropped the ball when it came to managing its own data.

Switzerland-based Veeam, which specializes in data recovery, backup and management, reportedly left exposed a database containing more than 200 gigabytes of customer information.

The more than 440 million records mostly consisted of names, email addresses and IP addresses, according to a report by TechCrunch and a blog post by security researcher Bob Diachenko.

Veeam uses such data to send automated marketing communications to its customers.

The database consisted of two collections of records gathered between 2013 and 2017, according to TechCrunch, which said some records may be duplicates. After TechCrunch alerted Veeam about the exposure, the database was pulled offline within three hours, the news outlet said.

The database wasn't secured with a password, so it was accessible to anyone who was aware of it, Diachenko said.

Veeam confirmed that data may've been left visible but said the information was innocuous.

"It has been brought to our attention that one of our marketing databases, leaving a number of nonsensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time," Veeam said in an emailed statement. "We have now ensured that all Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway."

Exposed-data incidents have hit Comcast, the University of Cambridge and Exactis in recent months.

First published at 10:31 a.m. PT.
Update, 11:33 a.m.: Adds statement from Veeam.