Document Scanning Firm Exposes More Than 140 Gigabytes Of Corporate Documents

The Moscow-based document scanning company Abbyy inadvertently exposed thousands of customers’ corporate documents when a server was left misconfigured, a security analyst said.

The exposure is the latest involving misconfigured MongoDB databases, which have involved a number of high-profile companies in recent months.

Independent security researcher Bob Diachenko said when he found the server through the Shodan search engine it was configured for access without a password.

The server was hosted on Amazon’s cloud-based AWS platform, which has hosted so many misconfigured databases that Amazon created an automated tool to alert users when they’ve accidentally left data publicly accessible.

Corporate documents

Diachenko said the server contained 142GB of data, including large amounts of sensitive information.

“The MongoDB in question… contained a large chunk of scanned documents (more than 200,000 contracts, (non-disclosure agreements), memos, letters and other internal documentation…) which apparently were stored by Abbyy partners using their administration console,” Diachenko wrote in an advisory.

After determining the database belonged to Abbyy, he contacted the company, which quickly closed off access to the data earlier this month.

It was unclear how long the data was exposed or who may have accessed it.

Abbyy said the breach affected only one customer, but didn’t specify who it was.

Insecure in the cloud

The company provides document-scanning services to a number of large corporate clients, including Volkswagen, PepsiCo, McDonald’s and the Australian Taxation Office.

Abbyy said it had restricted access to the documents as soon as it was notified, and said the breach was a “one-off incident” that didn’t compromise other services, products or clients.

“Our commitment to security and trust is extremely important,” Abbyy said in a statement. “Further analysis is ongoing.”

Firms recently affected by MongoDB misconfigurations include a virtual keyboard for Android called AI.type, which has more than 40 million users, and the popular app Sitter, which connects parents with babysitters.

Last year the Australian government exposed the details of tens of thousands of government and bank employees through an AWS server, while a security firm leaked the CVs of thousands of former US military personnel.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

19 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

19 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

20 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago