Sennheiser, an audio tech giant exposed thousands of customers’ data as discovered by vpnMentor’s research team.
Sennheiser had accidentally left an old cloud account full of customer data out in the open.
While the account in question appears to have been dormant since 2018, over 28,000 Sennheiser customers were exposed, with sensitive private data leaked.
The data may be old, but it’s still valuable to criminals and hackers, and the leak itself could have been much worse. It represents a massive oversight by a huge, multinational, well-known company.
Company Profile
Sennheiser was founded in the German town of Wedemark in 1945 by Dr. Fritz Sennheiser. To this day, it remains a privately-owned, family-run business based in Wedemark.
The company manufactures high-quality audio equipment for personal and business use, including microphones, headphones, recording equipment, and aviation headsets.
Sennheiser has operations in over 50 countries worldwide, with roughly 2,800 employees and an annual turnover of €756.7 million in 2019.
An Exposed AWS S3 Bucket
Sennheiser was using an Amazon Web Services (AWS) S3 bucket to store data collected from the public through its various activities. S3 buckets are a popular enterprise cloud storage solution. However, it is up to the users to properly define the security settings to protect any data stored therein.
Sennheiser failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills.
Personally Identifiable Information (PII) Data Exposed
vast amounts of Personally Identifiable Information (PII) data was exposed in the breach, including:
- Full names
- Email addresses
- Phone numbers
- Home addresses
- Names of companies requesting samples
- Number of the requesting company’s employees
Data Breach Impact
Had malicious or criminal hackers discovered Sennheiser’s AWS account before it was secured, they could have used the exposed data in a wide range of criminal schemes.
The exposed data would have been enough for skilled hackers to commit many of the most common forms of fraud, including:
- Identity theft
- Tax fraud
- Insurance fraud
- Mail fraud
- Bank account takeover
- Debit or credit card fraud
- Mortgage fraud
- Phishing campaigns