Data Backup Digest

Many of us entrust our important data to backup companies. Whereas backup used to be an entirely local thing, processed on drives within your building, now it’s simple to sign up to a service and beam all your data across the internet to a company’s server across the world.

For the average person, cloud storage is a great solution. It means you can access your data from wherever you are, at any time, and you can usually use it on multiple devices – meaning the data from your phone, tablet, and computer are all covered in the backup plan.

Giants like Microsoft and Google offer their own cloud storage services, as do thousands of smaller vendors, aimed at both the personal and business market.

These services are good and undoubtedly provide a useful service. However, what happens when a backup company exposes customer data?

Of course, we’re not talking intentional data exposure – that would be a PR nightmare on another level. Instead, this involves backup companies that don’t have adequate protection, leading to exposure of customer data. If you can’t trust a company to protect themselves, you surely can’t trust them to look after your data.

A team at vpnMentor (a service which reviews and compares hundreds of VPNs) were undergoing their web mapping project when they discovered something unnerving. They found that SOS Online Backup, a Californian-based backup service, had exposed databases containing customer’s personal information.

vpnMentor previously discovered similar data leaks from brands including PhotoSquared, Decathlon, Yves Rocher, and more. This leak from SOS Online Backup is just the latest and unlikely to be the last.

SOS Online Backup have 12 data centres worldwide and have won multiple awards, which just shows that no matter the scope of the company or their accomplishments, it doesn’t mean their data is always going to be secure.

“The exposed database contained over 135 million records, totalling almost 70GB of metadata related to user accounts on SOS Online Backup. This included structural, reference, descriptive, and administrative metadata covering many aspects of SOS Online Backup’s cloud services,” said vpnMentor.

This exposure included names, email addresses, phone numbers, corporate details, and account usernames. Having so much information exposed is not only a violation of privacy, is also exposes the company and its customers to a wide range of fraud attacks.

The exposed database also showed the structure of the cloud technology and the accounts system, which hackers could have used to work their way into and infect the systems.

The database would have been great for criminals and hackers, for whom access to cloud storage accounts is highly sought after – especially those belonging to corporate accounts with the potential for ransomware.

Aside from the data leak damage, it also risks causing reputational and legal damage. In California, the firm could be investigated under the CCPA data protection law. If EU customer’s data is involved, then that involves GDPR regulators.

Luckily, vpnMentor reported the problem to the SOS Online Backup. They resolved the issue nine days later, though never acknowledged or replied to the researchers.