Document Scanning Firm Exposes More Than 140 Gigabytes Of Corporate Documents

The Moscow-based document scanning company Abbyy inadvertently exposed thousands of customers’ corporate documents when a server was left misconfigured, a security analyst said.

The exposure is the latest involving misconfigured MongoDB databases, which have involved a number of high-profile companies in recent months.

Independent security researcher Bob Diachenko said when he found the server through the Shodan search engine it was configured for access without a password.

The server was hosted on Amazon’s cloud-based AWS platform, which has hosted so many misconfigured databases that Amazon created an automated tool to alert users when they’ve accidentally left data publicly accessible.

Corporate documents

Diachenko said the server contained 142GB of data, including large amounts of sensitive information.

“The MongoDB in question… contained a large chunk of scanned documents (more than 200,000 contracts, (non-disclosure agreements), memos, letters and other internal documentation…) which apparently were stored by Abbyy partners using their administration console,” Diachenko wrote in an advisory.

After determining the database belonged to Abbyy, he contacted the company, which quickly closed off access to the data earlier this month.

It was unclear how long the data was exposed or who may have accessed it.

Abbyy said the breach affected only one customer, but didn’t specify who it was.

Insecure in the cloud

The company provides document-scanning services to a number of large corporate clients, including Volkswagen, PepsiCo, McDonald’s and the Australian Taxation Office.

Abbyy said it had restricted access to the documents as soon as it was notified, and said the breach was a “one-off incident” that didn’t compromise other services, products or clients.

“Our commitment to security and trust is extremely important,” Abbyy said in a statement. “Further analysis is ongoing.”

Firms recently affected by MongoDB misconfigurations include a virtual keyboard for Android called AI.type, which has more than 40 million users, and the popular app Sitter, which connects parents with babysitters.

Last year the Australian government exposed the details of tens of thousands of government and bank employees through an AWS server, while a security firm leaked the CVs of thousands of former US military personnel.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Amazon Workers In North Carolina Reject Unionisation

Workers at Amazon warehouse near Raleigh vote against joining union, as company continues to challenge…

1 hour ago

China President Xi Meets With Top Tech Leaders

High-profile meeting with tech leaders seen as signal China is boosting tech sector after years…

2 hours ago

South Korea To Buy 10,000 GPUs For National AI Hub

South Korea hopes to gain leg up in international AI race with infusion of private…

2 hours ago

BYD, Geely, Great Wall Add DeepSeek AI To EVs

Chinese electric vehicle giants rush to incorporate DeepSeek AI tech to cars after it creates…

3 hours ago

South Korea Suspends DeepSeek From App Stores

South Korean data authority suspends Chinese AI start-up DeepSeek from Apple, Google app stores while…

3 hours ago

Google Puts ‘Profits Over Privacy’ With Tracking Change

Privacy advocates criticise Google over decision to allow companies to track users via digital fingerprints,…

4 hours ago