IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sennheiser exposed personal data of 28,000 customers with leaky S3 bucket

Server containing full names, email addresses, phone numbers, and supplier information was left open to the public for three years

Three Sennheiser headsets stacked on top of each other on a wooden table

Audio equipment manufacturer Sennheiser exposed personal data belonging to around 28,000 customers through a misconfigured Amazon Web Services S3 bucket, researchers revealed on Thursday.

The data in question had been collected between 2015 and 2018 and then stored on a public-facing S3 bucket that has remained dormant ever since, according to experts at VPN reviews website vpnMentor.

The data included customers' full names, email addresses, phone numbers, and home addresses, as well as the names of companies requesting hardware samples and the number of employees they had. At least 407,000 files, totaling 55Gb of data, were available.

"Sennheiser failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills," the researchers said.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

The researchers discovered the exposed data on October 26, notifying Sennheiser two days later. Following a request for more information on November 1, the researchers sent the company the URL leading to the unsecured server along with examples of the types of information they had been able to lift. The company then locked the server down a few hours later.

VpnMentor said that if anyone had accessed the exposed data, they could have used it for identity theft, enabling them to perpetrate tax, insurance, mortgage, and credit card fraud. They could also have sent phishing emails to victims impersonating Sennheiser in order to source an even greater trove of personal information.

S3 is the storage layer supporting AWS services, and can be configured to be accessible from the public internet or to be private. However, it remains up to customers to make sure the buckets are configured correctly.

Exposing data in misconfigured S3 buckets is a common problem for AWS customers. In August, consumer ratings and review website SeniorAdvisor exposed over three million US senior's personal data via the cloud-based service. In June 2020, vpnMentor also discovered sensitive files from at least 100,000 users across multiple dating sites in exposed S3 storage.

Amazon has attempted to mitigate the problem, which typically stems from human error, with a tool to spot misconfigured resources.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Cloud security market to hit $106 billion by 2029
cloud computing

Cloud security market to hit $106 billion by 2029

11 Apr 2022
Alkira offers Check Point CloudGuard Security to secure virtual cloud networks
Cloud

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks

29 Sep 2021
Iboss protects web sessions with remote browser isolation
Cloud

Iboss protects web sessions with remote browser isolation

16 Aug 2021
Most CISOs worry cloud software flaws aren’t being caught
cloud security

Most CISOs worry cloud software flaws aren’t being caught

7 Jun 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022