A data breach by data intelligence firm Attunity exposed hundreds of corporate records of the Ford Motor Company and Toronto-Dominion Bank (TD Bank) to the public internet. Data security firm UpGuard discovered the leak and informed the public via a report on its website.
“An UpGuard researcher discovered three publicly accessible Amazon S3 buckets related to Attunity. Of those, one contained a large collection of internal business documents. The total size is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups,” the report said.
A wide variety of information is available in the exposed files. For starters, the leak placed the login credentials of employees and even entire messages and emails out in the open. In addition, the breach revealed strategic secrets such as internal project plans, legal agreements, and even IT infrastructure.
“Backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more,” the report said.
There are other troubling aspects of the exposure. Specifically, it included data such as a roadmap to corporate virtual networks and personal employee information. Hackers could theoretically use this type of information to target employees with identity theft and other types of fraud.
In a statement to Bloomberg by Qlik Technologies, which owns Attunity, spokesman Derek Lyons stated the company will conduct an independent security evaluation. In addition, Qlik stressed it appears only UpGuard accessed the exposed data, meaning no actual damage occurred.
“Attunity customers deploy and operate the software directly in their own environments, and therefore Attunity doesn’t store or host sensitive customer data,” Lyons said. “Upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik’s 24×7 security operations center. We take this matter seriously and are committed to concluding this investigation as soon as possible.”
Spokesmen for both Ford and TD bank responded to the report of the data breach as well. Each company stated no evidence exists that their customers’ sensitive data was exposed.