Rubrik recently had one of its databases, which is hosted on an Amazon ElasticSearch server, publicly exposed. The server was not password protected, and anyone who could find the server could access it. Competitors, smelling blood in the water, started making all sorts of insinuations, including that Rubrik was growing too fast for its own good. What should we do with Rurik? How dare they make the same mistake that so many other companies and organizations (including Equifax and the NSA) have made? Maybe Rubrik should be forced to close its doors for good!
The storage news journalists went crazy reporting the news and Storage Switzerland’s phone and email starting chiming for interview requests. For example, a TechCrunch report refers to the incident as a “massive” database and Rubrik as a “Cloud Giant.” Rubrik is enjoying an impressive rise in market share but calling its customer database “massive” in the face of competitors like Veeam, Dell EMC, Commvault, Veritas, and others is overstating things. Also, if Rubrik is a “Cloud Giant,” then what adjective should we use to describe Google, Amazon, and Azure?
For its part, Rubrik claims the database was left unsecured due to human error, and that no one accessed it, other than security researcher Oliver Hough, who found the server and alerted the media to its existence. Hough claims at least two other individuals accessed it. The logs should tell the story but logs can be modified.
Storage Switzerland is not making excuses for Rubrik, but Rubrik is not the first company to have this happen, and it certainly won’t be the last. Should Rubrik make sure to secure its servers? Absolutely. Should it evaluate the processes that lead to this server being left unsecured? Absolutely. Should it notify the affected customers? Again, absolutely.
Beyond these steps what should we do with Rubrik? It was a human error. One thing that humans seem prone to do is make mistakes. Again, Rubrik needs to do everything possible to make sure that it doesn’t leave another server exposed, but other vendors need to be careful in their righteous indignation. As the old adage goes, people in glass houses shouldn’t throw stones. Any IT vendor that has customer information in the cloud or even on-premises is a glass house. They are all just one human away from the same thing happening to their organizations.
In addition to continually reevaluating security procedures, vendors that capture customer information need to look into a full-time position that constantly tries to hack their environments externally. According to a report from Johnny Yu at searchDataBackup.com, Oliver Hough used a tool called Shodan.io to find the exposed server. It makes sense that every organization with applications sitting in the cloud should regularly use tools like Shodan.io to check themselves. Better to have an employee find the exposed server than someone on the outside.
Consumer Protect Thyself
Another lesson here is organizations need to learn to be very careful about which vendors they are sharing information with and what specific information they provide to a vendor. It is reasonable to assume that in this era, the first name, last name, corporate email address, and city of a company employee is public information. It’s OK to give that information out but most vendors should not need anything more than that level of detail to maintain communications with their customers.
One of the negative impacts of legislation like GDPR and California’s CPA is that users may become complacent and assume that these regulations are all the protection they need. These regulations only provide a path to penalize companies for not protecting and securing data; they can’t undo what has occurred. If a person or an organization’s data makes it into public view, they are exposed. Stolen data can’t be recalled. There also is no real clarification as to what will happen to the money that organizations like the EU collect from GDPR violation fines. There is also no guarantee of personal restitution.
Organizations face conflicting versions of reality. On one hand, they are expected never to allow a breach to occur; on the other hand, they are also faced with the fact that eventually everyone will be breached. Regulations like GDPR and California’s CPA have good intentions and will get organizations to pay more careful attention to securing data. However, organizations and individuals need to remain vigilant in what data they share and store with any other organization. Countries can pass even more regulations and impose stiffer and stiffer fines, but humans will still be humans and eventually one of them will make a simple mistake the defeats even the most complex security strategies.