VirusTotal issues apology for recent sensitive data leak

VirusTotal, the threat analysis service owned by Google, has apologized for a data exposure event that affected approximately 5,600 of its registered customers.

 

The incident, which occurred on June 29, was attributed to human error and involved the accidental upload of a CSV file containing limited customer information by one of the employees.

 

The leaked data primarily included company names, group names linked to VirusTotal, and email addresses of group administrators. Some of the affected records were associated with government organizations such as the United States Justice Department, FBI, NSA, and Cyber Command. However, VirusTotal has reassured its users that the exposure was not a result of a cyber-attack or system vulnerability.

 

In a blog post released on Friday, VirusTotal’s head of product management, Emiliano Martinez, clarified the incident’s nature and apologized to their customers. He emphasized that the exposure resulted from human error and stressed that no malicious actors were involved.

 

Importantly, the leaked data was accessible only to partners and corporate clients using the Premium platform. This restricted access ensured that free account holders or anonymous users could not exploit the information in social engineering attacks, reducing the risk significantly.

 

Upon discovering the accidental upload, VirusTotal acted swiftly, removing the file from their platform within an hour. The prompt response was aided by vigilant customers who received alerts triggered by Yara rules scanning for files containing their domains.

 

In the aftermath of the incident, VirusTotal has taken proactive measures to enhance the security and protection of customer data. The company has implemented new internal processes and technical controls to minimize the likelihood of such incidents occurring in the future.

 

Responding to concerns about sensitive data access by employees, VirusTotal clarified that the specific employee responsible for the upload legitimately required access to the information for their job responsibilities.