A new security report suggests audio manufacturer Sennheiser may have exposed customer data.
A team of researchers discovered an old cloud account full of customer data belonging to Sennheiser. The account has not been used since 2018, but over 28,000 Sennheiser customers had their data leaked. The data may be old, but it contains personal, private information that is valuable to online criminals.
Researchers Noam Rotem and Ran Locar of VPNMentor contacted Sennheiser to disclose the discovery on October 28, 2021. According to the team, Sennheiser was using an Amazon Web Services (AWS) S3 bucket to store data collected from the public.
Sennheiser failed to implement any security measures on this S3 bucket, leaving the contents exposed and easily accessible to anyone with a web browser. Researchers were able to identify Sennheiser of the owner of the data due to files with the company’s name and Sennheiser employees listed in the bucket’s infrastructure.
“Once we confirmed that Sennheiser was responsible for the data breach, we contacted the company to notify it and offer our assistance. Sennheiser replied a few days later and asked us to give details of our findings. We disclosed the URL to the unsecured server and provided further detail about what it contained. Despite not hearing back from the company again, the server was secured a few hours later.”
What data may have been exposed by Sennheiser?
VPNMentor researchers say the database contained 55 GB of data from 28,000 customers. The data appeared to be collected between 2015-2018. It’s unclear how the data was collected, but lots of personally identifiable information was exposed, including:
- Full Names
- Email Addresses
- Phone Numbers
- Home Addresses
- Names of Companies Requesting Samples
- Number of Employees
The scope of the exposure is worldwide, but the majority of affected customers are in North America and Europe. The misconfigured AWS bucket may have helped criminals identify targets for identity theft, tax fraud, insurance fraud, and phishing campaigns for more sensitive data.
VPNMentor disclosed the breach to Sennheiser, who must notify customers of a data breach or data exposure under the EU’s GDPR requirements.