German audio equipment manufacturer, Sennheiser left an unsecured AWS server online. The server stored around 55GB of information on over 28,000 Sennheiser customers.
Sennheiser used an AWS S3 bucket to store large data files comprising data collected from its customers. The database was an old cloud account containing data of 28,000 customers and collected between 2015-2018; however, the database was dormant since 2018.
The scope of the exposure is worldwide, but the majority of affected customers are in North America and Europe. The misconfigured AWS bucket may have helped criminals identify targets for identity theft, tax fraud, insurance fraud, and phishing campaigns for more sensitive data.
The database could be old, but the information would be precious to cybercriminals. The bucket contained data from individuals and businesses requesting Sennheiser’s product samples. The database included full names, email IDs, home addresses, phone numbers, employee names, and company names.
This kind of data is sufficient for cybercriminals to perform various attacks such as phishing scams or identity theft. The exposed AWS server was secured by Sennheiser promptly, but it is concerning that such sensitive data was open to public access for such a long time.