Knowledge Base access rights 'glitch' blamed for Acronis data leak

happygeek

Acronis responds to DaniWeb questions regarding a leak of customer data which, as we exclusively reported over the weekend, resulted in some information being indexed by search engines and accessible to anyone on the Internet.

dweb-acronis2

Although the leak itself was identified by Acronis on Friday 29th June, the email informing those customers whose data was included in the spreadsheet that ended up exposed only went out late in the day on Friday 6th July. DaniWeb itself was only made aware of the problem, by one of those customers, on Saturday morning. As a result, contacting someone at Acronis for an official comment regarding the incident proved a little tricky. However, Acronis did swing into action and the relevant people were tracked down in order to provide that comment which arrived very late in the day (well, night here in the UK) on Sunday.

Here's what Ed Benack, Chief Customer Officer at Acronis Customer Central told DaniWeb about what actually happened:

"We have a strict content management policy that applies different access rights to our Knowledge Base, depending on content – for example, some may be Partner only, some may be Customer only. For reasons we are still investigating, the access control list reset to the default setting, making all content visible, temporarily. The vast majority of this content in the Knowledge Base is not sensitive or confidential, however it did contain an older spreadsheet listing just the email addresses of customers who had been entitled to a free product upgrade, and their upgrade license key. In compliance with our customer information security policies, no other identifying information was contained in this spreadsheet. The rights issues were addressed immediately, and we are still investigating why this occurred in the first place. In addition, we have updated our policy and moved all internal files to a completely separate database to further protect customer information, should another unexpected software glitch occur. This glitch did not occur in an Acronis product. We do pass our apologies on to those customers affected,and we have offered a further free product upgrade. We were pleased that our data security policies had prevented any other information from being released. Customers can be assured that we have a multi-level approach to protecting their personal information."

316 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

CMaker3 0 Newbie Poster

I'm a customer of Acronis and didn't receive an email regarding the issue. But I am concerened about the length of time it took them to respond to the "threat" and it took a customer to make them aware of the security leak.

No one is immune from security issues. It's how fast and effective a company responds to such a break that says about how good a company is in dealing with security issues. And this incident, even if not much damage was done as reported, doesn't speak well of Acronis' ability to respond efficiently.

I hope they correct this or should I start "scanning" elsewehre.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.19 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.