Wedemark, Germany-based audio giant Sennheiser is working “intensively” to investigate how some customer data was exposed on the internet two months ago, the company says in a new statement.
In a notice on its website, Sennheiser acknowledges being notified in October that some company data was displayed on the web. The company says it took immediate action to close the security gap.
According to the company, a cloud folder used for a temporary backup left some customer contact information exposed to the web. However, no personal customer data was displayed.
Sennheiser’s Response
The statement reads, in part, as follows: “We would like to sincerely apologize for the incident. At the moment, we are working intensively to reconstruct all details of the situation. As we take data security very seriously at Sennheiser, we are working to send a notification to potentially affected customers as soon as possible.”
The statement is in response to a report from cybersecurity researchers with vpnMentor that states the data is from a cloud account dormant since 2018. It contained the contact data of over 28,000 customers.
vpnMentor says the issue was a misconfigured AWS S3 bucket, leading to more than 407,000 files and 55GB of data being exposed online. However, there is no evidence that the data was accessed or leaked, researchers say, as only the bucket’s owners know.
The vpnMentor research team discovered Sennheiser’s data breach as part of a huge web-mapping project. Researchers use large-scale web scanners to search for unsecured data stores containing information that shouldn’t be exposed. They then examine each data store for any data being leaked.
Sennheiser was notified of the issue on Oct. 28 and closed the security gap on Nov. 1, according to vpnMentor.
The Data Exposed
Some of the data exposed included full names, email addresses, phone numbers, home addresses, names of companies requesting samples and number of employees of requesting companies.
According to the security researchers, the S3 bucket also contained a 4GB database backup, but it was protected.
The data was of customers and suppliers around the globe, but the majority of those exposed are based in North America and Europe, researchers say.
While the data itself will likely not lead to widespread cyberattacks or identity theft, hackers can use that data and piece it together with other available information to build a victim profile. That then can be leveraged in complex phishing campaigns designed to trick victims into providing more sensitive information, such as social security numbers, bank account details and more.
