Acronis responds to DaniWeb questions regarding a leak of customer data which, as we exclusively reported over the weekend, resulted in some information being indexed by search engines and accessible to anyone on the Internet.


Although the leak itself was identified by Acronis on Friday 29th June, the email informing those customers whose data was included in the spreadsheet that ended up exposed only went out late in the day on Friday 6th July. DaniWeb itself was only made aware of the problem, by one of those customers, on Saturday morning. As a result, contacting someone at Acronis for an official comment regarding the incident proved a little tricky. However, Acronis did swing into action and the relevant people were tracked down in order to provide that comment which arrived very late in the day (well, night here in the UK) on Sunday.

Here's what Ed Benack, Chief Customer Officer at Acronis Customer Central told DaniWeb about what actually happened:

"We have a strict content management policy that applies different access rights to our Knowledge Base, depending on content – for example, some may be Partner only, some may be Customer only. For reasons we are still investigating, the access control list reset to the default setting, making all content visible, temporarily. The vast majority of this content in the Knowledge Base is not sensitive or confidential, however it did contain an older spreadsheet listing just the email addresses of customers who had been entitled to a free product upgrade, and their upgrade license key. In compliance with our customer information security policies, no other identifying information was contained in this spreadsheet. The rights issues were addressed immediately, and we are still investigating why this occurred in the first place. In addition, we have updated our policy and moved all internal files to a completely separate database to further protect customer information, should another unexpected software glitch occur. This glitch did not occur in an Acronis product. We do pass our apologies on to those customers affected,and we have offered a further free product upgrade. We were pleased that our data security policies had prevented any other information from being released. Customers can be assured that we have a multi-level approach to protecting their personal information."

Edited by happygeek: title edited

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

6 Years
Discussion Span
Last Post by CMaker3

I'm a customer of Acronis and didn't receive an email regarding the issue. But I am concerened about the length of time it took them to respond to the "threat" and it took a customer to make them aware of the security leak.

No one is immune from security issues. It's how fast and effective a company responds to such a break that says about how good a company is in dealing with security issues. And this incident, even if not much damage was done as reported, doesn't speak well of Acronis' ability to respond efficiently.

I hope they correct this or should I start "scanning" elsewehre.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.