alphaspirit - Fotolia

CEO: Veeam database exposure fixed, investigation launched

Veeam co-CEO Peter McKay said there's 'no excuse' for the exposure of a marketing database and millions of email addresses. He said the company is being proactive in its response.

A Veeam co-CEO today apologized for the error that made millions of email addresses in a database visible for two weeks, and said the data protection vendor is investigating the incident.

Human error caused the Veeam database with 4.5 million unique email addresses to be accessible to third parties, according to Peter McKay, who is also Veeam's president.

During maintenance of Veeam's network, the MongoDB marketing database, which contained data between two-and-a-half and four years old, became exposed in an unsecure way.

"Security is something I and Veeam take very seriously," McKay said in his first media interview about the incident. "We apologize."

McKay said the company launched an investigation into the incident and is working to improve its security.

Veeam co-CEO Peter McKayPeter McKay

Veeam sells its products exclusively through channel partners, so it does not collect credit card information. The exposed customer information contained email addresses, names and, in some cases, IP addresses. While original reports said the Veeam database incident exposed 440 million email records, many of those were duplicates of the same emails.

"It wasn't easy to find unless you're looking for it," McKay said. "We don't think any of their data was actually used -- it was just accessible."

During and after the incident

The Veeam database first became exposed Aug. 28. Security researcher Bob Diachenko said in a LinkedIn post that he discovered the issue on Sept. 5. Veeam's social media team discovered tweets referencing a possible database issue on Sept. 7.

A Veeam employee reached out to Diachenko for explanation, and the company set out to validate the claim. Veeam said it heard from TechCrunch editor Zack Whittaker on Sept. 10, when the company validated the claim and fixed the problem by securing the database within an hour.

"We appreciate someone bringing the issue up to us," McKay said.

While the incident was isolated and entirely accidental, there's "no excuse," he said. "Human error is the weakest link in the security chain."

Since learning of the incident, Veeam has communicated with customers and partners throughout the week, sending emails, making calls and recording videos. McKay said he doesn't know of customers receiving errant emails as a result of the exposure.

Our approach is: Be as proactive as you can be, be as transparent as you can be, be as accessible as you can be.
Peter McKayco-CEO, Veeam Software

Steve Duplessie, founder and senior analyst at Enterprise Strategy Group, credited Veeam for quick action after the breach discovery. He said there does not appear to be a lot of damage done regarding the type of information exposed, compared with other high-profile incidents -- such as the Target breach --  that publicly released credit card data. Ideally, the vendor itself would have found the problem originally, he said, but at least in this case, the person who discovered the Veeam database exposure was not looking to steal information.

"I think they've handled it admirably," Duplessie said. Veeam didn't hide, it admitted the problem and it's "taking the right steps to make sure it doesn't happen again."

Duplessie did add that he would like a Veeam security officer to speak publicly about what the company is doing to protect itself going forward.

"They're all about data protection. That's their world," Duplessie said. "Hopefully we'll hear from them as to how they can change their operating procedures so this won't happen again."

Veeam's next steps

Veeam Software launched in 2006 with a focus on virtual protection. It has since added cloud and physical support. In the last couple of years, Veeam has focused on the enterprise and made a push into data management.

The incident marks the first time Veeam customer information has leaked, McKay said. The company's investigation procedures included making sure it understood the magnitude of the problem and checking for any other vulnerabilities, while shoring up its data privacy and security.

"We thought we were really good at it," McKay said.

While the Veeam database exposure did not contain any sensitive data, the company proactively contacted regulatory authorities to address any concerns.

Veeam has also made the appropriate changes within the organization, handling the issue internally, McKay said, declining to give specifics.

"It's making us better internally," McKay said.

Duplessie suggested Veeam use its engaged customer community to help find issues in processes, in addition to using it for finding bugs in software.

Veeam claims 315,000 customers, growing at a rate of 4,000 per month. McKay said Veeam has received a few inquiries, but he doesn't expect to lose customers.

"Our approach is: Be as proactive as you can be, be as transparent as you can be, be as accessible as you can be," McKay said.

Dig Deeper on Data backup security

Disaster Recovery