Attunity Ltd. exposed sensitive information of its Fortune 100 customers such as Toronto-Dominion Bank (TD Bank), Ford Motor Co., and Netflix on the internet. According to the report published on upguard the sensitive data exposed through an unprotected Amazon Web Services cloud-computer servers bucket.
Attunity Ltd. is an Israel based company that manages and safeguards data means data integration and big data Management Company. Attunity Ltd. is owned by Qlik. The company claim to serve over 2000 enterprises and half of the Fortune firms 100. Official website, here.
On 13th May, 2019 UpGuard researcher found an unprotected and publicly accessible Amazon Web Service Cloud Computer servers bucket. The Amazon Web Service Cloud Computer servers bucket was named as “attunity-it,” “attunity-patch” and “attunity-support”. The oldest files were in “attunity-it”. According to the report in “attunity-it” the bulk of sensitive data was stored, and it was uploaded in September 2014. On 16th May, 2019 researcher contracted Attunity Ltd. and the next day Amazon Web Services cloud-computer servers bucket was secured. Its public access had been removed.
According to the report this breach exposed over a terabyte of data. The researcher said that the total size was unknown to him, but he had downloaded a sample of about a terabyte in size, including 750 gigabytes of compromised email backup.
Attunity Ltd,’s password and network information, as well as email and technology designs from some of Attunity’s high-profile customers by this security incident.
Bloomberg post reads “The centerpiece was a large collection of Attunity files including administrative and employee passwords to various systems, extensive employee email backups, a roadmap to the company’s virtual network and personal information about Attunity’s employees. The widespread presence of login credentials swelled the potential harm of the data leak, according to UpGuard.”
UpGuard report says “Backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more.”
In the UpGuard Report, Upguard gives examples of Netflix database authentication strings, TD Bank software upgrade invoice, Ford project preparation slide.
“Attunity’s data buckets included files about Ford’s information-technology architecture and details on internal project plans. Documents attributed to TD Bank included invoices, agreements between the companies, and files about the type of technology solution Attunity was configuring for the bank. There was also log-in information for a database Attunity created when it was trying to sign Netflix Inc. as a client in 2015. Netflix downloaded a demo of an Attunity tool that could have helped the streaming company switch databases, but never became a customer, according to a Netflix spokeswoman.” – Bloomberg post reads.
UpGuard found system credentials in the Attunity Ltd. Amazon Web Services cloud-computer servers buckets. UpGyard says Private Keys were stored in Attunity’s data set.
A spreadsheet named “Production VLAN” was found by the researcher in which researcher found information like IP address belonging to the Attunity own system.
Researchers also noticed that the employees from United states employee ID follows the same numbering scheme as social security numbers. Researcher states that they believe both are same. And It draws additional risk. But US Government sites does not return name of the person with Social Security Number. And for this reason researcher didn’t able to verify the employee ID whether their Social Security Number or not.
What people are saying about this security incident?
Ford spokeswoman Monique Brentley told Bloomberg that “We know the kind of information we provide to companies like Attunity, and we don’t believe there’s an issue.”
Toronto-Dominion Bank (TD Bank) spokesman Matthew Doherty told to Bleeping Computer that “We are currently investigating this matter and, thus far, we have found no evidence that our customers’ personal and financial information was exposed. We also have safeguards in place that are designed to help deter unauthorized access and use of our customers’ personal and financial information.”
A Qlik spokesperson, Attunity’s parent company told to Security Week “Following Qlik’s acquisition of Attunity in May, and upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik’s 24×7 security operations center.”
“We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations. We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us,” the company added.