Mistake exposes thousands of customers’ emails
U.S. Internet’s email security business exposed thousands of its customers’ emails on the open internet because of human error.
The gaffe was discovered by a Milwaukee computer security consultant and made public last week by cybersecurity expert Brian Krebs. Minnesota-based U.S. Internet said the problem has been resolved and that it’s assessing how much data may have been accessed.
“We were able to block it before it became a huge issue,” said Travis Carter, U.S. Internet’s CEO. “It has taken a lot of work, a lot of cost and left a lot of egg on our face for lack of a better term.”
U.S. Internet generates most of its revenue by providing internet service through its fiberoptic network in Minneapolis and adjacent suburbs. U.S. Internet also operates an email security company called Securence, which filters emails for spam, viruses and other threats.
The emails in question were from customers of Securence, not U.S. Internet’s general ISP business. Securence’s clients include companies and governments nationwide.
Hold Security in Milwaukee discovered U.S. Internet’s vulnerability while working for its own clients.
“In some cases, we come upon systems that are in plain view” on the internet, said Alex Holden, Hold’s chief information security officer.
U.S. Internet was one of those cases. Hold discovered thousands of email repositories for Securence’s customers that were exposed to the public “for a long period of time,” Holden said.
“The big surprise — and this is unusual — is that (Securence) is an email service provider,” Hold said. “The good thing is that we found no evidence that data was stolen.”
Hold Security contacted Krebs, a well-known cyber expert. Krebs’ website, Krebsonsecurity, reported that Holden and his researchers had “unearthed a public link to a U.S. Internet email server listing more than 6,500 domain names, each with its own clickable link.”
“Drilling down into those individual domain links revealed inboxes for each employee or user of these exposed host names,” Krebs wrote and Carter confirmed. Some internal emails of current and former U.S. Internet employees were also exposed.
“Krebsonsecurity has been writing about data breaches for nearly two decades, but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed,” Krebs wrote.
Before publishing his report, Krebs informed Carter of the vulnerability, and U.S. Internet immediately wiped the information off the internet. “The problem was a human issue,” Carter said. “It was literally one command in the system.”
Carter said the exposed information was on four servers, none of which host popular email services from Google and Microsoft.
As of Friday morning, fewer than 10 of Securence’s customers — and less than 300 individual emails — had been accessed by unauthorized parties, he said.
Over 99% of Securence’s business was not affected by the error, Carter said.
Still, “I don’t want to trivialize it, and we are taking it very seriously,” he said.