Recently we have all become somewhat over-exposed to the leaking of customer data courtesy of inadequate security allowing hackers to gain access to databases. The LinkedIn LeakedOut leak and eHarmony dating data disaster are good examples of the genre. However, let's not forget that sometimes no hackers are required to make a security and privacy slip up. Sometimes the in-house folk are all that is required to kick-start an embarrassing data leak. And that's what appears to have just happened to an undisclosed number of Acronis customers who have been sent emails informing them that "a spreadsheet containing a few email addresses and upgrade serial numbers" had been indexed by search engines.
One customer who received the email from Acronis, a company which provides data backup software and services, was Mike Hall who called the fact that it still included a default signature stating that "Acronis does not supply customer information to any third party" to be something of an epic fail in the circumstances.
The email, which went out yesterday afternoon, and is signed by Ed Benack, Chief Customer Officer, Acronis Customer Central, blames an unspecified 'technical issue' for allowing a spreadsheet containing emails and upgrade serial numbers to be "indexed by the search engine" and assuring them that no additional data was leaked which could identify individual Acronis customer accounts or put them at risk of breach. Indeed, the email insists that the spreadsheet concerned was only searched for and downloaded by 14 people and insists "We have their IP addresses and we are working with their ISPs to notify them of this issue and to ask to delete the file". Good luck with that, but in the meantime Benack goes on to explain that the spreadsheet file has now been removed from the server, search engines contacted with a request to have the index removed (good luck with as well, Mr Benack) and notifications sent to all customers concerned.
Although the actual impact in terms of risk to customers here is miniscule as the error appears to have been picked up quickly and the data concerned inadequate to breach nay account security, it does leave me wondering just what the 'technical issue' was and whether it was simple human error or something more sinister. At the moment all we know is what that email tells us, namely that Acronis claim their database solutions are secure but this technical issue "made the spreadsheet have lower rights than it should have". Just as well the technical issue didn't hit a spreadsheet containing financial information, login information or something more of a security risk than email addresses then. It also makes the Acronis brand statement of taking "a more effective approach to managing your data protection and disaster recovery needs" a little less robust than it was before.
Acronis has apologised to customers for the inconvenience caused and offered them a complimentary upgrade to Acronis True Image Home 2012 by way of compensation.
At the time of writing nobody from Acronis was available for comment.
Here's that Acronis email in full:
Dear Acronis Customer,
On June 29th, 2012, due to a technical issue with one of our servers, a spreadsheet containing a few email addresses and upgrade serial numbers was indexed by the search engine. You are receiving this email message because your address was one of those in the spreadsheet. As a result of this issue, your email address could have been looked up on the Internet by directly searching for it.
It is important to know that email addresses from spreadsheet were not accompanied with any personal information, such as Name, Phone Number or Postal/Billing Address. The only information indexed were the email addresses themselves and upgrade serial numbers.
As soon as our Engineering Team found out about this issue, this spreadsheet has been removed from the server and the report was sent to search engine support team so it is removed from the search index.
Here are the answers to most common questions:
Am I at risk of having my Acronis account breached?
No. Only email addresses were indexed, with no other data identifying your Acronis account.
How many people viewed/downloaded the spreadsheet?
14 (fourteen) people. We have their IP addresses and we are working with their ISPs to notify them of this issue and to ask to delete the file.
The issue occurred last Friday. Why did not I immediately receive notification on this?
As soon as we learned of the issue, we launched an investigation to confirm that the spreadsheet originated from our server. Once confirmed, we immediately began to address the risk to our Customers, prioritized as follows:
File has been removed from the server so it could not be downloaded by third party.
We have contacted the search engine support team to get the index removed so it does not appear in the search result. The removal is still in progress.
We have notified all affected Customers with hereby email message.
What is Acronis doing to prevent this from happening in the future?
While the solution we had was secure, a technical issue made the spreadsheet have lower rights than it should have. We have removed all the files which contain any Customer information from secure servers which are accessible from open Internet. All such files are now internally accessible only via access control system which will not allow downloading by unauthorized users.
Be sure that we take the security of our Customers very seriously. As a compensation for this inconvenience, we would like to provide you with complimentary upgrade to Acronis True Image Home 2012. You will receive an additional email message with your serial number and other instructions in approximately a week from now.
Again, we truly apologize for any inconvenience this has caused you, our Customer.
Chief Customer Officer
Acronis Customer Central
You (xxxxxxxxxx) are receiving this e-mail because you have purchased Acronis products, registered one of our products or have requested e-mails from Acronis. Your information is used exclusively by Acronis to provide you with relevant product and company news. Acronis does not supply customer information to any third party.