Share this article on:
Internet security company VirusTotal has issued an apology over the leaking of customer data in June 2023.
The Google-owned company shared a blog post explaining the incident on 21 July, after German news outlet Der Standard first reported the security breach on 17 July.
The data only totalled 313 kilobytes, so it was a small leak by recent standards; however, it contained the details of about 5,600 of VirusTotal Premium level customers. According to Der Standard and sister outlet Der Spiegel, which confirmed the authenticity of the dataset, the details included users and accounts from US Cyber Command and the NSA, as well as “official bodies” from the UK, Taiwan, and the Netherlands.
However, the leak was not a malicious attack but rather a case of user error on behalf of a VirusTotal employee.
As it turns out, someone at VirusTotal uploaded a CSV file to the company’s platform that contained “limited information” of some of VirusTotal’s customers.
“On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform,” VirusTotal wrote in a blog post. “This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators.”
“We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”
Google has said that the company is working on its internal processes to ensure such an incident never happens again. VirusTotal itself has said much the same, as well as throwing out an unequivocal mea culpa.
“First and foremost, we want to clarify unequivocally: This was not the result of a cyber attack or a vulnerability with VirusTotal,” VirusTotal said. “This was a human error, and there were no bad actors involved.”
According to VirusTotal, the exact nature of the data included company names, their group name within the company’s own platform, and the email addresses of group admins.
“We assure you that the data disclosed was limited strictly to the sort of information provided in the example above,” the company said. “Since this incident, we have implemented new internal processes and technical controls to improve the security and safeguarding of customer data.”
Analysis
While the data was secured relatively quickly, the fact that two news outlets at least were able to access the data and confirm it before it was removed suggests that bad actors could have done the same.
The information is enough to target potential high-level customers with phishing campaigns or more subtle attacks. And, for a company that deals in security – especially with government agencies – it is very much not a good look.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.