[German]Audio gigant Sennheiser was victim of a data protection incident. Sennheiser (audio technology left an old cloud account unprotected on the Internet so that third parties could access customer data. Security researcher found the open Amazon AWS S3-Bitbucket and informed the vender who then secured the data base immediately.
Advertising
Sennheiserwas founded in 1945 by Dr. Fritz Sennheiser. To this day, it remains a privately owned, family-run company based in Wedemark, Germany. The company manufactures high-quality audio equipment for private and business use, including microphones, headphones, recording devices and headsets for aviation. Sennheiser has a global presence in more than 50 countries, employs about 2,800 people and generated annual sales of 756.7 million euros in 2019.
Old S3 bucket forgotten on AWS
The vpn-Mentor security team, which scans the Internet for open databases, recently came across an old cloud instance, via which Sennheiser accidentally exposed account containing customer data. Sennheiser was running an Amazon Web Services (AWS) S3 bucket that collected data from various public activities. In total, this involved 55 gigabytes of data. Sennheiser failed to implement any security measures for its S3 bucket, leaving the content completely unprotected and easily accessible to anyone with a web browser and technical knowledge. Although the account in question contained data from 2015 to 2018 and appears to have been inactive since 2018, more than 28,000 Sennheiser customers were affected. This data privacy incident involved sensitive private data such as:
- Full names
- Email addresses
- Phone numbers
- Home addresses
- Names of companies requesting samples
- Number of employees at the requesting company
The data discovered on October 26, 2021 was old, but still valuable to criminals and hackers. For Sennheiser, the whole thing represents a GDPR-relevant incident. A massive oversight by a large, multinational and well-known company.
Sennheiser informed
The vpnMentor security team was able to quickly identify Sennheiser as the owner of the data in the unprotected S3 bucket. This was because the data contained files with the company's name and Sennheiser employees listed in the bucket's infrastructure. The security researchers notified Sennheiser of the data breach. Sennheiser responded a few days later, asking for details. After providing the URL of the unsecured server and other details to Sennheiser, the AWS server showed access protection a few hours later. However, Sennheiser did not get back to us. Details of the incident can be read here.
