Sennheiser left personal data of over 28,000 customers exposed on a misconfigured Amazon Web Services (AWS) server.
According to a report from vpnMentor, the German audio equipment manufacturer, Sennheiser left an unsecured Amazon Web Services (AWS) server online. The server stored around 55GB of information on over 28,000 Sennheiser customers.
AWS buckets are popular among businesses that require storing large data files. However, defining the security settings for AWS S3 buckets is highly important, which according to vpnMentor, Sennheiser failed to ensure.
Personal data of Sennheiser customers exposed
VpnMentor reports that Sennheiser used an AWS S3 bucket to store large data files comprising data collected from its customers. According to vpnMentor’s researchers Noam Rotem and Ran Locar, the database was an old cloud account containing data of 28,000 customers and collected between 2015-2018; however, the database was dormant since 2018.
The database could be old, but the information would be precious to cybercriminals, researchers noted in their report. They contacted Sennheiser on 28 October 2021 to inform them about the unprotected server and leaked data.
About the Data
Researchers noted that the bucket contained data from individuals and businesses requesting Sennheiser’s product samples. The database included full names, email IDs, home addresses, phone numbers, employee names, and company names.
This kind of data is sufficient for cybercriminals to perform various attacks such as phishing scams or identity theft. The exposed AWS server was secured by Sennheiser promptly, but it is concerning that such sensitive data was open to public access for such a long time.
“Once we confirmed that Sennheiser was responsible for the data breach, we contacted the company to notify it and offer our assistance. Sennheiser replied a few days later and asked us to give details of our findings.
We disclosed the URL to the unsecured server and provided further detail about what it contained. Despite not hearing back from the company again, the server was secured a few hours later,” vpnMentor’s report read.