A major Internet provider in the Twin Cities announced that it has immediately resolved an issue that led to the inadvertent release of thousands of emails.
US Internet CEO Travis Carter said that in early 2023, an employee misconfigured the security settings on a traditional email server, unknowingly putting hundreds of thousands of messages from the past 15 years on the public internet. He said it had been made public.
Carter said in a phone interview Thursday with MPR News that credit card numbers or Social Security numbers are not being released and customers of the company’s fiber-optic internet service are not affected.
The messages released included USI’s own internal emails as well as those of thousands of customers of the company’s Securence email service.
MPR News is supported by our members. Gifts from individuals are the driving force behind everything here. Become a member by making a gift of any amount today!
Carter said the company has notified affected customers and is hiring a cybersecurity firm to investigate the incident.
“[It was] It’s my fault for not having the checks and balances that should have been put in place on this platform, but hindsight is 20-50,” Carter said.
USI’s Security Division provides spam filtering and anti-phishing services to corporate, government, and other institutional customers. Some of these customers have contracted with Security to operate email systems that have been around since the 1990s, Carter said. Carter said it was only these legacy systems that were affected, not the filtering service.
Carter said a large number of emails were published online, but preliminary investigation shows only a small portion of the messages were downloaded by unauthorized users.
“The first wave that really hit us was relatively small. We received less than 500 emails,” Carter said.
Alex Holden, a cybersecurity consultant in Milwaukee, discovered the issue last week, and the issue was first reported by the technology website Krebs on Security.
In a separate interview with MPR News, Holden said that while working for a client, he and his team discovered a list of Internet domain names that contained links to email folders.
“We found these Open Directories to be very readily available and were in the top 10 results for certain searches.”
Holden said he discovered the page using the search engine Bing and then realized that a China-based search engine was also indexing the page.
He praised USI’s “impressive quick response” in deleting the data after learning of the problem.
