A new security report suggests that audio maker Sennheiser may have leaked customer data.
A team of researchers discovered an old cloud account filled with customer data belonging to Sennheiser. The account hasn’t been used since 2018, but more than 28,000 Sennheiser customers have had their data leaked. The data may be old, but it contains private, personal information valuable to online criminals.
Researchers Noam Rotem and Ran Locar’s VPNMentor contacted Sennheiser disclosed the discovery on October 28, 2021. According to the team, Sennheiser is using Amazon Web Services (AWS) S3 buckets to store data collected from the public.
Sennheiser failed to implement any security measures on this S3 bucket, leaving the content exposed and easily accessible to anyone with a web browser. The researchers were able to identify the data owner’s Sennheiser because files with Sennheiser’s company and employee names were listed in the group’s infrastructure.
“After we confirmed that Sennheiser was responsible for the data breach, we contacted the company to notify and offer assistance. A few days later, Sennheiser responded and asked us to provide details of our findings. We’ve revealed the URL for the insecure server and provided more details on what it contains. Although there was no response from the company, the server was secured a few hours later.
What data might have been exposed by Sennheiser?
VPNMentor Researchers says the database contains 55 GB of data from 28,000 customers. The data appears to be collected from 2015-2018. It’s not clear how the data was collected, but a lot of personally identifiable information was exposed, including:
- Full name
- Email address
- Phone number
- Company name request sample
- Number of employees
Exposure is worldwide, but the majority of affected customers are in North America and Europe. A misconfigured AWS team may have helped criminals identify targets for identity theft, tax fraud, insurance fraud, and phishing campaigns for more sensitive data.
VPNMentor disclosure breach for Sennheiser, who must notify customers of a data breach or data exposure in accordance with EU GDPR requirements.
https://www.digitalmusicnews.com/2021/12/16/sennheiser-exposed-customer-data-2021-report/ Sennheiser exposed 28,000 customers’ online data – Report