Misconfigured Server by the Third Party Vendor Exposed 2.8 Million Customer Records
Written by: Black Kite
A security incident accidentally exposed 2.8 million customer information of CenturyLink due to a misconfigured MongoDB database affiliated with a third-party vendor. The name of the third-party vendor is not disclosed but it is a notification platform used by CenturyLink. The exposed data may include possibly including names, addresses, phone numbers, email addresses, and CenturyLink account numbers but the incident did not involve financial information.
CenturyLink gave a statement to CompariTech saying: “Since becoming aware of this situation, we have worked to confirm that the security issue has been addressed and we are conducting a thorough investigation of the incident. The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers. We will continue to work to protect customer information. CenturyLink takes the protection of our customers’ information seriously, and we will work to ensure that we earn our customers’ trust.”
Many companies and their third parties use cloud servers to store their data. Despite their great advantage, misconfigured servers may expose sensitive data, a mistake which is an open invitation to hackers to dump and use a company’s data for their malicious activities.
Monitoring third party vendors and assessing their cyber risk are quite crucial to prevent security incidents and data breaches caused by a third-party. A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.
Black Kite enables enterprises to monitor their external cyber risk posture and perform nonintrusive cyber risk assessments of their suppliers, subsidiaries, third-party vendors, and target acquisitions. Check out data breaches caused by third parties and request a free cyber risk scorecard here.