VpnMentor‘s research team, led by Noam Rotem and Ran Locar, recently uncovered that consumer audio firm Sennheiser had left an old cloud account full of client data available to the public.
While the account in question appears to have been inactive since 2018, sensitive personal information of over 28,000 Sennheiser customers was exposed.
Even if the information is outdated, it is nevertheless valuable to crooks and hackers, and the leak might have been much worse. It represents a tremendous blunder on the part of a large, well-known international corporation.
Overview of the Company:
Dr. Fritz Sennheiser created Sennheiser in the German town of Wedemark in 1945. It is still a family-run, privately held firm based in Wedemark.
Microphones, headphones, recording equipment, and aircraft headsets are among the company’s high-quality audio products for personal and corporate usage.
Sennheiser has operations in more than 50 countries, employing over 2,800 people and generating an annual revenue of €756.7 million in 2019.
Owner Reaction and Timeline of Discovery
Date of discovery: October 26th, 2021
Vendors were contacted on October 28th, 2021.
Response deadline: November 1, 2021
The deadline for action is November 1, 2021.
When the scope of a data breach and who owns the data are evident, the problem is usually remedied swiftly. These are, however, uncommon occasions. Often, it takes days of inquiry to figure out what’s at stake or who’s leaking the information.
It takes time and effort to fully comprehend a breach and its possible consequences. We work hard to ensure that the reports we publish are accurate and trustworthy and that everyone who reads them appreciates the gravity of the situation.
Some of those who are affected deny the facts, dismissing or downplaying the significance of our findings. As a result, we must be thorough and double-check everything we find.
Sennheiser was storing data acquired from the public through its different activities in an Amazon Web Services (AWS) S3 bucket in this instance. A common enterprise cloud storage solution is Amazon S3 buckets. Users, on the other hand, are responsible for correctly defining security settings in order to protect any data kept there.
Sennheiser neglected to deploy any security protections on their S3 bucket, exposing the contents to anyone with a web browser and technical knowledge.
Due to various indications, including files with Sennheiser’s name and Sennheiser personnel named in the bucket’s infrastructure, we easily identified Sennheiser as the data’s owner.
We contacted Sennheiser to warn them of the data breach and offer our assistance after we confirmed that Sennheiser was to blame for it. Sennheiser responded a few days later, asking for more information. We revealed the unsecured server’s URL as well as further information regarding its contents. The server was secured a few hours later despite not hearing from the company again.
An Example of S3 Bucket Entries:
Between 2015 and 2018, Sennheiser used their S3 bucket to store over 55 GB of data from over 28,000 clients.
While it’s unclear how all of this information was gathered, it appears to have come from customers and businesses who requested Sennheiser product samples. As a result, the breach exposed a large amount of Personally Identifiable Information (PII), including:
- Names
- Email addresses
- Phone Numbers
- Addresses
- The names of the companies who have requested samples
- Employees of the requesting company in number
The S3 bucket also held a 4 GB database backup, but it was password-protected, and we didn’t try to access it for ethical reasons.
While Sennheiser’s customers and suppliers were affected all over the world, the majority of those affected were in North America and Europe.
Impact of a Data Breach:
The unprotected data may have been exploited in a variety of illicit schemes if malicious or criminal hackers had discovered Sennheiser’s AWS account before it was secured.
Skilled hackers might have used the exposed data to commit many of the most frequent types of fraud, including:
- Identity theft
- Tax fraud
- Insurance fraud
- Mail fraud
Bank account takeover
- Debit or credit card fraud
- Mortgage fraud
And many more…
Even if the data exposed wasn’t enough to exploit for illicit benefit, it could be used to carry out sophisticated phishing campaigns.
In a phishing campaign, thieves imitate actual businesses and organisations by sending victims fraudulent emails and SMS messages. They hope to gain the victim’s trust by tricking them into one of the following actions:
- Providing extra PII data (such as social security numbers) or private information (such as bank account numbers) that can be used in the above-mentioned fraudulent actions.
- Inputting debit or credit card information into a phoney payment site so that it can be scraped and sold on the dark web by criminals.
- Clicking a link that contains dangerous software, such as malware, spyware, or ransomware, that infects a user’s device.
If the information was gathered using a “request a sample” style form, fraudsters might use it to generate extremely convincing phishing emails impersonating Sennheiser and fooling former customers into supplying additional personal information or clicking a dangerous link.
Furthermore, because of the large number of people affected by the data theft, cybercriminals would only need to con a small percentage of them to be successful.
Sennheiser’s point of view is as follows:
Sennheiser is subject to the EU’s GDPR jurisdiction because it is situated in Europe and the leak affects numerous European citizens. As a result, it will have to notify the authorities about the data breach and address the vulnerability that exposed its server as soon as possible. Otherwise, the regulatory agency may conduct additional investigations and levy fines.
Sennheiser may also face public and media attention for exposing so many people to online fraud and attacks. Any unfavourable publicity generated as a result of the tale may drive potential customers to one of the audio industry’s many competitors.
The company’s finances would be strained if it had to respond to each of these outcomes.
If Sennheiser had taken some basic security precautions, it could have simply avoided exposing its customers’ data. Among them are, but not limited to:
- Its servers are safe.
- Appropriate access rules should be implemented.
- Never leave a machine open to the internet if it does not require authentication.
- It is stored and not utilised to encrypt sensitive data.
Regardless of its size, any organisation can follow the same steps.
Keeping an Open S3 Bucket Secure
It’s crucial to clarify that S3 buckets that are available to the public are not an AWS flaw. They’re frequently the result of the bucket owner making a mistake. AWS users may find thorough instructions on how to secure and keep their S3 buckets private on Amazon’s website.
The simplest approach to repair this problem in the case of Sennheiser would be to:
- Add authentication mechanisms and make the bucket private.
- Follow the best practises for AWS access and authentication.
- To further restrict who can access their S3 bucket from any point of entry, add further layers of protection to it.
Customers of Sennheiser:
If you’re a Sennheiser customer who’s concerned about how this breach might affect you, get in touch with the firm to find out what efforts it’s taking to protect your data.
To Conclude:
Laidback behaviour towards data security can cause you loss in large amounts, being an entrepreneur you are responsible for the safety of your customer’s data. So it is necessary to learn and implement safety measures against cybercrimes to stand against data breaches.
