Tech Data: No Evidence That Data Stored On Exposed Server Was Misused

Tech Data says information on the exposed server might include facts that can be found on a business card, one-time use credentials to activate a specific cloud service, or the date and time of service activations.

Tech Data said there's no indication that a recent data leak from one of the company's servers resulted in unauthorized transactions or other fraud.

The Clearwater, Fla.-based distribution giant said in a statement it corrected the security vulnerability on its StreamOne cloud marketplace server and disabled the affected server within hours of being notified. The statement comes after vpnMentor reported that its security researchers had found a "major" data leak at Tech Data that exposed 264 GBytes of client and employee corporate and personal data.

Tech Data said there currently isn't any evidence that the data stored on the exposed server was misused, but noted that the company's investigation is continuing and will satisfy all data reporting requirements. vpnMentor said its researchers discovered the data leak and reached out to Tech Data Sunday, with Tech Data's team responding to a follow-up contact and fixing the data leak Tuesday.

[Related: Tech Data Fixes Leak That Exposed Reseller Payment Information: Report]

"Tech Data takes the protection of our customers', partners' and employees' data very seriously," the company said in a statement. "As always, our focus is on maintaining the data security and confidentiality."

Data on the exposed server might include both facts that can be found on a business card as well as other information, like one-time use credentials to activate a specific cloud service, or the date and time of service activations, according to Tech Data.

However, Tech Data said no credentials necessary for logging into StreamOne or other Tech Data customer accounts resided on the exposed server. Tech Data also said it doesn't store any credit card numbers or bank details in the StreamOne marketplace.

Portions of Tech Data’s statement contrast with vpnMentor’s Thursday morning report, which indicates that Tech Data's Graylog log management server was leaking payment and credit card data as well as reseller contact and invoice information. Specifically, vpnMentor reported that sensitive information available in the Tech Data data leak included bank information, payment details, and usernames and unencrypted passwords.

Similarly, TechCrunch reported that the records exposed on the Tech Data server contained partial payment information such as card type, cardholder names and expiration dates. TechCrunch indicated that none of the leaking data was encrypted except for obfuscated credit card numbers.

TechCrunch journalist Zack Whittaker said in an email that he stood by his reporting, while vpnMentor didn't immediately responded to requests for comment. TechCrunch had spoken with the vpnMentor researchers and examined a portion of the leaked records. vpnMentor said security researchers Noam Rotem and Ran Locar were the ones to identify the Tech Data data leak.

Tech Data is experiencing the same question of how to respond as any company would when faced with a security issue, said John Spiridigliozzi, chief operating officer and director of engineering services at Infinit Technology Solutions, an East Syracuse, N.Y.-based solution provider that works with the distributor.

"Like anybody caught in this situation, I'm concerned about the impact for us," Spiridigliozzi told CRN. "Tech Data is an honorable company. I expect them to get their arms around this."

Infinit Technology Solutions also provides security to its clients, Spiridigliozzi said.

"As a provider of security to my customers, I know it's not 'Bam, this is what we'll do,' he said. "There's a process."

That process includes a set of protocols Tech Data has to adhere to given that it is a public entity, Spiridigliozzi said. "And that doesn't include what your insurance company needs you to do," he said. "You just can't run out with a statement."

That said, Spiridigliozzi is sure no one at Tech Data is taking this situation lightly.

"I'm sure they're doing something," he said. "I don't want spin control; I want to know what they're doing about it. I need to know what my exposure is. And if you were my client calling me, I would do the same. It's like any incident. There's bad news, and you have got to respond."

The Tech Data data exposure shows that no one can take security for granted, Spiridigliozzi said.

"I tell clients you can't take things lightly anymore," he said. "These things don't just happen to somebody else."

Joseph F. Kovar contributed to this story.