Wedemark, Germany-based audio giant Sennheiser is working “intensively” to investigate how some customer data was exposed on the internet two months ago, the company says in a newly updated statement.
In a notice on its website, Sennheiser acknowledges being notified in October that some company data was displayed on the web. The company says it took immediate action to close the security gap.
According to the company, a cloud folder used for a temporary backup left some customer contact information exposed to the web.
At that time, the company says, it had been under the impression that no personal data was involved. However, the company has since learned that contact information was included.
The statement reads, in part, as follows:
To our great regret, however, we learned in the meantime that contact information for some of our customers was accessible on the Internet in a cloud folder that was used for temporary data backup. This contact information (first and last name, address, and e-mail addresses as well as telephone numbers) was originally provided to register for our newsletter and for participation in online competitions.
At the end of last week, we therefore immediately complied with our duty to inform the data security authority of the state of Lower Saxony.
Although as of today we have no indication that the data from the cloud folder was accessed by third parties, we are working hard to reconstruct all details of the incident and notify potentially affected customers as soon as possible.
The statement is in response to a report from cybersecurity researchers with vpnMentor that states the data is from a cloud account dormant since 2018. It contained the contact data of over 28,000 customers.
vpnMentor says the issue was a misconfigured AWS S3 bucket, leading to more than 407,000 files and 55GB of data being exposed online. However, there is no evidence that the data was accessed or leaked, researchers say, as only the bucket’s owners know.
The vpnMentor research team discovered Sennheiser’s data vulnerability as part of a huge web-mapping project. Researchers use large-scale web scanners to search for unsecured data stores containing information that shouldn’t be exposed. They then examine each data store for any data being leaked.
Sennheiser was notified of the issue on Oct. 28 and closed the security gap on Nov. 1, according to vpnMentor.
The Data Exposed
As noted, some of the data exposed included full names, email addresses, phone numbers and home addresses. Other vulnerable information included names of companies requesting samples and number of employees of requesting companies.
According to the security researchers, the S3 bucket also contained a 4GB database backup, but it was protected.
The data was of customers and suppliers around the globe, but the majority of those exposed are based in North America and Europe, researchers say.
While the data itself will likely not lead to widespread cyberattacks or identity theft, hackers can use that data and piece it together with other available information to build a victim profile. That then can be leveraged in complex phishing campaigns designed to trick victims into providing more sensitive information, such as social security numbers, bank account details and more.
This article originally appeared on our sister site Commercial Integrator. It has been updated to reflect changes in the company’s statement.