(TNS) — US Internet’s email security business exposed thousands of customer emails on the open Internet due to human error.
The gaffe was discovered by a computer security consultant in Milwaukee and made public Wednesday by cybersecurity expert Brian Krebs. Minnesota-based US Internet said Thursday that the issue has been resolved and it is investigating how much data may have been accessed.
“We were able to block it before it became a big problem,” said US Internet CEO Travis Carter. “It took a lot of effort, a lot of money, and it left a lot of scars on our faces, for lack of a better word.”
U.S. Internet generates most of its revenue by providing Internet service through its own fiber-optic network in Minneapolis and adjacent suburbs. US Internet also operates an email security company called Securence that filters email for spam, viruses, and other threats.
The email in question was from a customer of Security, not US Internet’s typical ISP business. Securence’s customers include businesses and governments across the country, including Minnesota.
Milwaukee-based Hold Security discovered a vulnerability in the U.S. Internet while working for one of its clients.
“In some cases, you may come across systems that are clearly visible on the Internet,” said Alex Holden, chief information security officer at Hold.
The US Internet was one of them. Holden said he discovered thousands of email repositories for Security customers that had been publicly available for “an extended period of time.”
“The big surprise is, this is unusual; [Securence] “The company is an email service provider,” Hold said. “The good thing is we found no evidence that any data was stolen.”
Hold Security contacted Mr. Krebs, a well-known cyber expert. Krebs’ website, KrebsOnSecurity, says that Holden and his researchers “discovered public links to Internet email servers in the United States that listed more than 6,500 domain names, each with a clickable link. “It was,” he reported.
“Drilling down into these individual domain links revealed the inboxes of each employee or user of these exposed hostnames,” Krebs wrote, which Carter acknowledged. Internal emails of some current and former U.S. Internet employees were also exposed.
“KrebsOnSecurity has been writing about data breaches for nearly 20 years, but this one easily trumps the level of incompetence required to make such a huge mistake go unnoticed.” Krebs wrote.
Mr. Krebs informed Mr. Carter of the vulnerability before publishing his report, and US Internet promptly removed the information from the Internet.
“The problem was a human problem,” Carter said. “It was literally his one command in the system.”
Carter said the leaked information was on four servers, none of which hosted popular email services from Google or Microsoft.
As of this morning, fewer than 10 of Security’s customers and less than 300 individual emails had been accessed by unauthorized parties, he said. Carter said more than 99% of his Security business was unaffected by this error.
Still, “I don’t want to trivialize it and we take it very seriously.”
©2024 Star Tribune. Visit startribune.com. Distributed by Tribune Content Agency, LLC.
