Document Scanning Firm Exposes More Than 140 Gigabytes Of Corporate Documents

The Moscow-based document scanning company Abbyy inadvertently exposed thousands of customers’ corporate documents when a server was left misconfigured, a security analyst said.

The exposure is the latest involving misconfigured MongoDB databases, which have involved a number of high-profile companies in recent months.

Independent security researcher Bob Diachenko said when he found the server through the Shodan search engine it was configured for access without a password.

The server was hosted on Amazon’s cloud-based AWS platform, which has hosted so many misconfigured databases that Amazon created an automated tool to alert users when they’ve accidentally left data publicly accessible.

Corporate documents

Diachenko said the server contained 142GB of data, including large amounts of sensitive information.

“The MongoDB in question… contained a large chunk of scanned documents (more than 200,000 contracts, (non-disclosure agreements), memos, letters and other internal documentation…) which apparently were stored by Abbyy partners using their administration console,” Diachenko wrote in an advisory.

After determining the database belonged to Abbyy, he contacted the company, which quickly closed off access to the data earlier this month.

It was unclear how long the data was exposed or who may have accessed it.

Abbyy said the breach affected only one customer, but didn’t specify who it was.

Insecure in the cloud

The company provides document-scanning services to a number of large corporate clients, including Volkswagen, PepsiCo, McDonald’s and the Australian Taxation Office.

Abbyy said it had restricted access to the documents as soon as it was notified, and said the breach was a “one-off incident” that didn’t compromise other services, products or clients.

“Our commitment to security and trust is extremely important,” Abbyy said in a statement. “Further analysis is ongoing.”

Firms recently affected by MongoDB misconfigurations include a virtual keyboard for Android called AI.type, which has more than 40 million users, and the popular app Sitter, which connects parents with babysitters.

Last year the Australian government exposed the details of tens of thousands of government and bank employees through an AWS server, while a security firm leaked the CVs of thousands of former US military personnel.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago