Document Scanning Firm Exposes More Than 140 Gigabytes Of Corporate Documents

The Moscow-based document scanning company Abbyy inadvertently exposed thousands of customers’ corporate documents when a server was left misconfigured, a security analyst said.

The exposure is the latest involving misconfigured MongoDB databases, which have involved a number of high-profile companies in recent months.

Independent security researcher Bob Diachenko said when he found the server through the Shodan search engine it was configured for access without a password.

The server was hosted on Amazon’s cloud-based AWS platform, which has hosted so many misconfigured databases that Amazon created an automated tool to alert users when they’ve accidentally left data publicly accessible.

Corporate documents

Diachenko said the server contained 142GB of data, including large amounts of sensitive information.

“The MongoDB in question… contained a large chunk of scanned documents (more than 200,000 contracts, (non-disclosure agreements), memos, letters and other internal documentation…) which apparently were stored by Abbyy partners using their administration console,” Diachenko wrote in an advisory.

After determining the database belonged to Abbyy, he contacted the company, which quickly closed off access to the data earlier this month.

It was unclear how long the data was exposed or who may have accessed it.

Abbyy said the breach affected only one customer, but didn’t specify who it was.

Insecure in the cloud

The company provides document-scanning services to a number of large corporate clients, including Volkswagen, PepsiCo, McDonald’s and the Australian Taxation Office.

Abbyy said it had restricted access to the documents as soon as it was notified, and said the breach was a “one-off incident” that didn’t compromise other services, products or clients.

“Our commitment to security and trust is extremely important,” Abbyy said in a statement. “Further analysis is ongoing.”

Firms recently affected by MongoDB misconfigurations include a virtual keyboard for Android called AI.type, which has more than 40 million users, and the popular app Sitter, which connects parents with babysitters.

Last year the Australian government exposed the details of tens of thousands of government and bank employees through an AWS server, while a security firm leaked the CVs of thousands of former US military personnel.