
Attunity Data Leak: Vendor for half the Fortune 100 exposed terabyte of backups - johnnywalker817
https://www.upguard.com/breaches/attunity-data-leak
======
decasia
I mean, it's the usual story with these things — "accidentally stored internal
data — including other companies' security sensitive data — in a public file
share" (or in this case, S3). Not much to learn from the story that we don't
already know about IT security. Bottom line, it's bad to trust vendors that
are not trustworthy, and this can expose other kinds of lazy/bad practices in
your organization.

For a company that had thousands of clients, I didn't think 1TB was an
especially large amount of data, all things considered.

~~~
OrgNet
> or in this case, S3

S3 is very common when it comes to leaks for some reason

~~~
zwily
I’d say one big reason would be because so many people use it.

~~~
eli
Despite recent improvements, it's still pretty easy to accidentally make a
bucket public that you meant to keep private.

~~~
je42
Yep. As a bigger org you want automatic compliance checks that verify that all
buckets are not publically accessible.

~~~
mwarkentin
They have explicit public access blocks at both the bucket and _account_ level
now. These override any permissions granted via IAM or bucket policy.

~~~
je42
That's why you still want explicit automatic audits.

------
triplee
This one is a double whammy not only because there's not only data on those
companies, but it can be extrapolated that many of those companies are
relatively new to the cloud (and possibly which cloud service is available as
well), making them also ripe for targeting.

One of Attunity's bigger sales deals is making their data migration tools free
for a long period to help organizations migrate to cloud. This is essentially
a list of "Hey, these other orgs might also be open to hacking as they haven't
learned yet."

------
johnnywalker817
not to mention attunity is the preferred vendor for data integration by
microsoft and amazon...so its not just non-tech fortune 100 companies that use
them.

------
harry8
How much business will they lose?

This is a measure of market efficiency. In an efficient market they would lose
absolutely all of it.

Bet you they lose almost none of it. Manipulating old idiots on boards of
directors is _much_ more important than quality, which is what the word
"enterprise" means.

Enterprise IT (noun): Awful quality product that would get zero traction
without a massive con of ignorant boards and senior management.

~~~
jacques_chester
If you know a way to reduce the cost of moving data to zero, could you share
it with the class?

~~~
harry8
Flip it around. How high does that cost have to be before it stops being
_excellent_ value in this case? Why would you assume zero is the only cost
that makes sense here, that's insane!

edit: On reflection I think you've got a meaning from what I said that isn't
quite right. The cost of moving is one of the things that might make this
market inefficient. Anything that is a barrier to entry, a barrier to
switching provider contributes to market inefficiency. It's an economic term
worth knowing as people bandy it about here a bit. Barriers to entry,
imperfect information, market power of suppliers (here), nonzero selling
costs, nonzero switching costs all contribute. The question in most markets is
to what extent do they contribute? How inefficient is it? Here paying money
for gross incompetence when you found that out you'd be pretty determined to
dump the supplier because you've been conned, and conned badly. Now you are
aware of being exposed to a large risk, ever increasing legally once you do
nothing when you clearly know the risk exists. So it's a good measure of how
efficient _this_ market is because nobody of any competence or sanity _wants_
to stay with this supplier anymore.

~~~
jacques_chester
The dominant cost here is switching cost. Data has mass-like characteristics.
It exhibits inertia, momentum and gravity.

To move data from one to another requires three terms: you need to be moving
at least as fast as the production rate, you need to be accelerating at least
fast as the production rate is and then, on top of those, you need additional
movement speed to be able to move the original accumulation.

For the market to be perfectly competitive in an economic sense, switching
costs would have to be zero. Hence my original smartarsery.

I think it's more likely that they'll call their lawyers and haggle for a few
bucks off the next renewal.

~~~
harry8
You wanted service, you got a punch in the face. So negotiate a small discount
while leaving yourself wide open for being sued? Crazy! These guys are a huge
risk of not being around in a year.

That's some kind of market inefficiency right there. How bad would this
service have to be to dump the supplier? It's actually kind of hard to imagine
this being worse, don't you think?

It's not my area but I'm pretty sure I can design a parallel solution to get
away from the vampires relatively quickly. Start collecting current data
somewhere else in parallel to the existing. Move all the existing data, take
as as long as that takes. Switch of the tap to the legacy vampires when it's
done and the new, up-to-date collection has full history. Pay to get it done.
Sue your former suppliers for the entire cost on account of them being
fundamentally incompetent and dishonest. Dare them to fight it. Tell them just
how much you're looking forward to discovery which by necessity will _not_ be
confidential. "How famous do you want to be?" Give interviews about how you
don't put up with this kind of standover nonsense. Seriously you can't have
these idiots as suppliers. You really can't. We can't have them survive in the
industry and simultaneously have self-respect, surely. Airlines with planes
that crash that aren't their fault go broke. These guys surviving this, just
no. They need to die and be condemned to the hell of writing blog posts on
medium about what they learned from their total abject and utter failure.
Attunity customers who stick with them should be sued for treating their own
customers health, safety and wellbeing with contempt. No fortune 100 customer
agreed to that risk. A few bucks off the renewal? Just no.

~~~
jacques_chester
I'm not Attunity and I'm not defending them. I'm explaining why some companies
will have different preferences from yours (and, to some degree, mine).

------
jbverschoor
You don’t just guess the full oath of such a file.

Sounds like a data breach, either on the server or in the ops code / config.

When will data ownership be a thing? No need for ANY company to store my data
if I can have it one my phone, which is on 24/7 and connected.

------
techslave
the real story is, if these were sensitive why wasn’t the data encrypted?

~~~
jedberg
You could reasonably write it off as not being a best practice in 2014
(although that doesn't explain the current backups being unencrypted). Also
it's a terrible excuse.

------
slenk
Is it responsible for Upguard to have waited two days to try and contact
Attunity?

*edit - I'm not trying to be smarmy - its a genuine question

~~~
tastroder
You have to verify and internally coordinate a disclosure of this size. The
article also mentions that they were unclear about a point of contact due to a
recent merger and that they are in a different time zone. Two days sounds
completely reasonable for all of that.

------
techslave
a terabyte? cue dr evil: one _million_ dollars.

what’s that, one email signature?

