Massive Rubrik Data Leak Provides Lessons for Security Providers
TechCrunch alerted the company after security researcher Oliver Hough found the leak. The exposed server wasn’t protected with a password, allowing access to anyone who could find it.
In his blog, Arvind Nithrakashyap, Rubrik’s co-founder and chief technology officer, said his company investigated and “rectified the issue immediately. We have confirmed that no customer-owned data was exposed.”
“The sandbox development data repository defaulted to a lower-access security level and we failed to follow our standard security procedure to appropriately set the access control,” he said. “To prevent this from happening again, we are rolling out stricter processes such as multiple levels of approvals and security reviews throughout the organization.”
The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including names, contact information and case work for each corporate customer, according to TechCrunch. It’s believed the data goes back to October, according to timestamps found inside.
Geoff Tudor, vice president and general manager of Vizion.ai at Panzura, said there are a lot of lessons to be learned from this data leak.
“Never put any data into any cloud infrastructure until you have done your corporate security audit compliance,” he said. “Have all default application passwords been changed? Do the new passwords meet your [corporate] password strength protection? Have firewall rules been implemented to reduce attack-surface exposure?”
“One of the big pains with Elasticsearch, where the Rubrik data was hosted, according to reports, is that configuration, operation and security can be complex and cumbersome,” Tudor said. “An example is that AWS allows you to create Elasticsearch that is wide open to the world, with no authentication or passwords. This is similar to how S3 buckets were exposed in prior breaches.”
Terry Ray, Imperva‘s chief technology officer, said the Rubrik data exposure once again “highlights the interconnectedness of all security programs, and how one breakdown – and in this case what looks like a human error – can end up having catastrophic impacts.”
“While Rubrik should be commended for reacting swiftly once the issue was bought to light, the issue also shows the fundamental importance of protecting vital data wherever it lives,” he said. “Additionally, the data exposure also highlights how modern data repositories, like Elasticsearch in this incident, have created a fundamental conflict in businesses.”
The use of modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often require advanced enablement of technical staff before their use, Ray said.
“It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.”
Jeff Williams, Contrast Security‘s co-founder and chief technology officer, said this is more of a vulnerability disclosure and not a breach. When a security researcher finds a problem, and responsibly reports it to a company, that’s pretty healthy, he said.
“Rubrik seems to be responding quickly and thoroughly, with at least a little contrition,” he said. “It appears that this problem occurred due to a simple misconfiguration. I think the lesson is that you can never leave configuration up to humans. The real lesson of DevSecOps is that by turning security into code, it can be built, tested and managed in a completely automated fashion. To the maximum extent possible we have to get the humans out of the loop. We’ll never stamp out all errors, but this is basic blocking and tackling. We can’t afford to get burned by the simple stuff.”