Peak Design Accidentally Leaked 10 Years of Client Data and Records (2024)

Peak Design Accidentally Leaked 10 Years of Client Data and Records (1)

A decade’s worth of Peak Design’s client data (about half a million records) leaked publicly because due to a data migration, the information was temporarily not password protected.

The data leak was discovered by Cybernews in a report published this morning. It includes a full summary of the leak, what it believes to have been the cause, and screenshots backing up the publication’s findings as well as supposed proof that the data had been seen by malicious parties.

“On March 25th, the Cybernews research team identified the leak and informed the company. While the data appeared on search engines on April 24th, the leaked support tickets span nearly a decade from June 2014 to May 2023, magnifying the scope of the leak,” Cybernews writes. “Cybernews researchers found a ransom note on the company’s systems, indicating it was likely accessed by the threat actor at least once.”

Peak Design confirmed the data breach to PetaPixel this afternoon.

“You support Peak Design with the confidence that we protect your privacy. We recently discovered and fixed a data compromise involving historical customer service tickets,” Peter Dering, Peak Design’s Founder and CEO explains in an email sent to PetaPixel but is addressed to customers.

Peak Design says that the data includes customer service tickets dating from October 2013 to May 2023.

“These tickets can include customer names, emails, shipping addresses, order details, and correspondences with our customer service team. It’s important to note that no passwords, credit card info, bank info, social security numbers, or other personal information was compromised,” Dering says. “If you had correspondence with our customer service team during the aforementioned dates, the contents of that correspondence may have been compromised.”

The company says it is not aware of any misuse of the information and reiterates that no account credentials, credit card info, bank info, or social security numbers were part of this data leak.

“If you receive communication from or relating to Peak Design that seems suspicious, contact us at [emailprotected]. If you are concerned about identity theft and would like more information on ways to protect yourself, visit the Federal Trade Commission’s Identity Theft website.

How The Leak Happened

Cybernews reports that the information was visible publicly because Peak Design did not set a password to what are known as Elasticsearch servers.

“The data leak was caused by a publicly accessible Elasticsearch instance. Elasticsearch is an open-source search engine for searching and analyzing large amounts of data on websites or systems,” Cybernews explains. “Access to the Elasticsearch servers should never be exposed to the public web without proper authentication, as it is a common target for threat actors preying on user data. Ransomware bots, especially, target poorly secured instances and wipe data.”

Peak Design says this happened as the result of a data migration.

“Last year Peak Design migrated to a new customer service platform, and as a part of that migration, we created an internal system for agents to quickly search historical tickets. On March 11, 2024, a security gap was inadvertently created when the private server hosting the information was accidentally made externally accessible. On April 25th the staff at Cybernews, an independent cybersecurity research publication, detected the problem and we promptly fixed it. We believe the data was compromised on April 1st by an unauthorized third party. We don’t know that party’s identity or if they actually saved or distributed any info, and are not aware of any misuse of that information,” Dering says.

Peak says that the issue arose because a single setting was “mistakenly enabled” and the company has since put in place “an IT approval protocol and enhanced training” to do its best to ensure such a leak does not happen again.

“Moreover, we are actively reviewing our privacy protocols and data-handling training regimen,” Dering adds.

“Your trust means everything to us. The risk of cyber attack is a reality of doing business in the modern world, and we’re responding to this incident with the utmost haste and seriousness. It is in our mission to treat our customers as peers, which to us has always meant clarity in communication, honoring our word, and respecting your privacy. Thank you for your continued support.”

Cybernews’ full report can be read on the publication’s website.

Peak Design Accidentally Leaked 10 Years of Client Data and Records (2024)

FAQs

What should you do in case of data leakage? ›

Secure Your Operations
  • Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. ...
  • Mobilize your breach response team right away to prevent additional data loss. ...
  • Assemble a team of experts to conduct a comprehensive breach response. ...
  • Stop additional data loss.

What are some consequences of having your data leaked? ›

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of ...

How do you deal with data leaks? ›

Here are six steps to take if your information is exposed in a data breach.
  1. Stay Alert. ...
  2. Secure Your Accounts. ...
  3. Initiate a Fraud Alert. ...
  4. Monitor Your Financial Accounts and Credit Reports. ...
  5. Freeze or Lock Your Credit File. ...
  6. Stay Vigilant to Signs of Scams.
Apr 8, 2024

What is data leakage What are the factors that can cause data leakage? ›

A data leak is when information is exposed to unauthorized people due to internal errors. This is often caused by poor data security and sanitization, outdated systems, or a lack of employee training. Data leaks could lead to identity theft, data breaches, or ransomware installation.

How to solve data leakage? ›

Key Steps in Handling a Data Leak
  1. Assemble the Team. You'll need to bring together a variety of experts to deal with the situation. ...
  2. Secure Your IT Systems. ...
  3. Create a Communications Plan. ...
  4. Notify Law Enforcement and Government Agencies. ...
  5. Fix the Problem.

What to do if my data has been breached? ›

72 hours - how to respond to a personal data breach
  1. Step one: Don't panic. ...
  2. Step two: Start the timer. ...
  3. Step three: Find out what's happened. ...
  4. Step four: Try to contain the breach. ...
  5. Step five: Assess the risk. ...
  6. Step six: If necessary, act to protect those affected. ...
  7. Step seven: Submit your report (if needed)

Can I sue for data leak? ›

You may sue for a data breach if you can prove that you suffered measurable harm because of the breach, such as identity theft or financial loss.

Are data leaks a big deal? ›

Data leaks are a major threat: They can expose sensitive information and lead to financial loss, reputational damage, legal trouble, and identity theft.

What is the best strategy to limit data leaks? ›

The following data security practices could prevent data leaks and minimize the chances of data breaches.
  1. Evaluate the Risk of Third Parties. ...
  2. Monitor all Network Access. ...
  3. Identify All Sensitive Data. ...
  4. Secure All Endpoints. ...
  5. Implement Data Loss Prevention (DLP) Software. ...
  6. Encrypt All Data. ...
  7. Evaluate All Permissions.

What are the consequences of leaking confidential information? ›

Consequences of leaking confidential information

This compromises an individual's privacy, making them vulnerable to identity theft, fraud, or other malicious activities. Reputational damage: Organizations that fail to protect confidential information may suffer significant reputational harm.

What are the four common causes of data breaches? ›

Common Causes of Data Breaches
  • Cause 1. Insider Threats Due to Misuse of Privileged Access. ...
  • Cause 2. Weak and Stolen Passwords. ...
  • Cause 3. Unpatched Applications. ...
  • Cause 4. Malware. ...
  • Cause 5. Social Engineering. ...
  • Cause 6. Physical Attacks.
Apr 18, 2024

What are the indicators of data leakage? ›

Being unable to enter login credentials can be a sign of a breach. If a hacker has access to an account, they can change passwords. On the other hand, they might have tried to access an account repeatedly and failed, causing it to become locked.

What should be the first step if a data breach is suspected? ›

Step 1: Contain

Once an entity has discovered or suspects that a data breach has occurred, it should immediately take action to limit the breach. For example, stop the unauthorised practice, recover the records, or shut down the system that was breached.

What is best practice regarding information leakage? ›

One way to prevent data leaks is to educate employees about endpoint security risks, reducing the risk of employee negligence that allows attackers to break through security controls.

What is the most appropriate action that you should take when you encounter a data breach? ›

Contain the Cyber Breach

You should change all affected or vulnerable passwords immediately. Use a password manager and create new, strong passwords for each account, and refrain from reusing the same passwords on multiple accounts. That way, if a data breach happens again in the future, the damage may be limited.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6121

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.