SOS Online Backup, a company claiming to provide “multi-award winning bulletproof backup”, compromised personally-identifiable data of 135 million users by failing to secure its online database.
Security researchers at vpnMentor recently discovered that the California-based online backup company “exposed significant metadata related to user accounts on SOS Online Backup and the structure of their cloud services”.
The organisation was contacted by the researchers on December 10 and again on December 17. SOS Online Backup never replied to vpnMentor; however, the incident was mitigated on December 19.
VpnMentor has confirmed that the exposed database contained over 135 million records, totalling almost 70GB of metadata related to user accounts on SOS Online Backup. This included structural, reference, descriptive, and administrative metadata covering many aspects of SOS Online Backup’s cloud services.
Furthermore, it included personally identifiable information (PII) data of users that included names, phone numbers, email addresses, account usernames and internal company details of corporate customers.
“By exposing so much metadata and user PII, SOS Online Backup has made itself and its customers vulnerable to a wide range of attacks and fraud. This database could have been a goldmine for cybercriminals and malicious hackers, with access to cloud storage highly sought after in the online criminal underworld,” the researchers added.
Massiv data exposure by SOS Online Backup could result in regulatory action
According to vpnMentor, “the exposed database showed the structure of their cloud-based backup technology, accounts’ systems, and how they work. Hackers could use this information to plan effective attacks and embed malicious software in their system. This would allow them to steal customer data and files, or attack SOS Online Backup directly. The consequences of such an attack could be devastating for the company and its customers.”
Aside from suffering damage in terms of market share, revenue and reputation, the company could also be investigated by regulators under the recently-passed California Consumer Privacy Act (CCPA) as well as GDPR as the exposed database may have contained personal data of EU citizens as well.
Commenting on the massive data exposure, Javvad Malik, security awareness advocate at KnowBe4, told TEISS that “it is fortunate that researchers discovered this and reported it to the organisation although it is unclear who could have accessed the data before and what they could have done with it.
“It is why it's important for organisations to build a culture of security so that security is kept in the forefront during design, implementation, and equally important once deployed on an ongoing basis." He added.