Data Backup Digest

Do-It-Yourself Windows File Recovery Software: A Comparison

results »

More Than Half a Million Custom Records Leaked Through SVR Tracking

SVR Tracking specializes in a technology that is popular in car lots and dealerships all throughout the nation. Used in the recovery of lost or stolen vehicles, the company provides the hardware and the live, real-time support needed to find and secure these assets in a timely manner. Used by some of the biggest names in the automotive industry and even some law enforcement personnel, it’s especially concerning that they’re customer records were recently leaked online for all to see.

Valuable Information Inside

This wasn’t your ordinary data leak. Whereas most incidents involve information like credit card numbers and social security numbers, this leak provided vehicle identification numbers (VINs) and license plate numbers as well as GPS data regarding some vehicles, dealerships and even individual customers. With more than half a million records exposed, this definitely counts as one of the more significant occurrences we’ve seen thus far.

Officials with the Kromtech Security Center first uncovered the data leak on September 18, 2017, and ultimately attributed it to a misconfigured Amazon AWS S3 bucket. As such, the entire database – with all 500,000+ records – was open for anyone to see for an undetermined amount of time.

Thankfully, the team with SVR Tracking moved quickly to rectify the issue. The leak was closed by September 20, but the information had already been available to potential hackers and would-be identity thieves. And the SVR team didn’t exactly make it difficult to access the information.

All of their records were stored in a folder labeled “accounts.” Some of the records contained within – which number 540,642 – are tied to multiple vehicles and reused to keep dealership costs at a minimum. With that in mind, the actual number of vehicles affected might be even greater than originally thought.

Kromtech’s Bob Diachenko mentioned this in a recent interview by saying: “The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking. In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?”

While SVR did not respond to questions about the incident itself, they posted a notification on their website stating, in part: ''“Kromtech contacted SVR on September 20, at which point we immediately began our own investigation into an incident concerning one of our data repositories. Within 3 hours, SVR fixed the repository configuration vulnerability Kromtech identified. SVR's investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers.”''

How SVR Tracking Plans to Move Forward

As mentioned, the team with SVR Tracking already patched the leak. While they haven’t provided specifics on their future efforts to prevent similar incidents from occurring, their willingness and

Comments

No comments yet. Sign in to add the first!