Report: Audio Tech Giant Exposed Thousands of Customers' Data
Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered that consumer audio giant Sennheiser had accidentally left an old cloud account full of customer data out in the open.
While the account in question appears to have been dormant since 2018, over 28,000 Sennheiser customers were exposed, with sensitive private data leaked.
The data may be old, but it’s still valuable to criminals and hackers, and the leak itself could have been much worse. It represents a massive oversight by a huge, multinational, well-known company.
Data Breach Summary
|Size of data in gigabytes||55 GB|
|Suspected no. of files||407,000+|
|No. of people exposed||28,000+|
|Date range/timeline||Dec ‘15 - Mar ‘18|
|Types of data exposed||PII data; database backup|
|Potential impact||Identity theft; tax fraud; insurance fraud; mail fraud; bank account takeover; debit or credit card fraud; mortgage fraud|
|Data storage format||Misconfigured AWS S3 bucket|
Sennheiser was founded in the German town of Wedemark in 1945 by Dr. Fritz Sennheiser. To this day, it remains a privately-owned, family-run business based in Wedemark.
The company manufactures high-quality audio equipment for personal and business use, including microphones, headphones, recording equipment, and aviation headsets.
Sennheiser has operations in over 50 countries worldwide, with roughly 2,800 employees and an annual turnover of €756.7 million in 2019.
Timeline of Discovery and Owner Reaction
- Date discovered: 26th October 2021
- Date vendors contacted: 28th October 2021
- Date of Response: 1st November 2021
- Date of Action: 1st November 2021
Sometimes, the extent of a data breach and the data’s owner are obvious, and the issue is quickly resolved. But rare are these times. We often need days of investigation before we understand what’s at stake or who’s exposing the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, Sennheiser was using an Amazon Web Services (AWS) S3 bucket to store data collected from the public through its various activities. S3 buckets are a popular enterprise cloud storage solution. However, it is up to the users to properly define the security settings to protect any data stored therein.
Sennheiser failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills.
We quickly identified Sennheiser as the owner of the data due to several factors, including files with the company’s name and Sennheiser employees listed in the bucket’s infrastructure.
Once we confirmed that Sennheiser was responsible for the data breach, we contacted the company to notify it and offer our assistance. Sennheiser replied a few days later and asked us to give details of our findings. We disclosed the URL leading to the unsecured server and provided further detail about what it contained. Despite not hearing back from the company again, the server was secured a few hours later.
Example of Entries in the S3 Bucket
Sennheiser was using its S3 bucket to store over 55 GB of data from over 28,000 customers, collected between 2015-2018.
While it’s unclear how all this data was collected, it appears to be from customers and businesses requesting samples of Sennheiser products. As a result, vast amounts of Personally Identifiable Information (PII) data was exposed in the breach, including:
- Full names
- Email addresses
- Phone numbers
- Home addresses
- Names of companies requesting samples
- Number of the requesting company’s employees
The S3 bucket also contained a 4 GB database backup, but this was protected, and for ethical reasons, we didn’t try to gain access.
While the data breach affected Sennheiser’s customers and suppliers across the globe, the majority of people affected were based in North America and Europe.
Data Breach Impact
Had malicious or criminal hackers discovered Sennheiser’s AWS account before it was secured, they could have used the exposed data in a wide range of criminal schemes.
The exposed data would have been enough for skilled hackers to commit many of the most common forms of fraud, including:
- Identity theft
- Tax fraud
- Insurance fraud
- Mail fraud
- Bank account takeover
- Debit or credit card fraud
- Mortgage fraud
- And many more...
However, even if the exposed data wasn’t sufficient to exploit for criminal gains, it could also be used to carry out complex phishing campaigns.
In a phishing campaign, criminals send victims fake emails and text messages imitating real businesses and organizations. By building the victim’s trust, they hope to trick them into any of the following actions:
- Providing additional PII data (i.e., social security numbers) or private information (i.e., bank account details) that can be used in the fraudulent activities listed above.
- Inputting debit or credit card details into a fake payment portal so they can be scraped and used by criminals or sold on the dark web.
- Clicking a link embedded with malicious software that infects a user’s device, such as malware, spyware, and ransomware.
If the data was collected using a “request a sample” type form, cybercriminals could use the details to create incredibly convincing phishing emails posing as Sennheiser and trick previous customers into providing additional personal information or clicking a malicious link.
Furthermore, due to the number of people exposed in this data breach, cybercriminals would only need to successfully scam a small fraction for any criminal scheme to be considered successful.
As Sennheiser is based in Europe, and this leak affected many European citizens, the company is within the EU’s GDPR jurisdiction. As a result, it will have to report the data breach and immediately fix the vulnerability that left its server exposed. Otherwise, it could face further investigation and fines by the regulatory body.
Sennheiser could also face scrutiny from the public and media for exposing so many people to fraud and online attacks. Any negative publicity generated from the story could lead potential customers to one of its many rivals in the audio industry.
Responding to each of these outcomes would be costly to the company’s finances.
Advice from the Experts
Sennheiser could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to:
- Securing its servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
- Encrypting sensitive data is being stored and not used.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on protecting your business, check out our guide to securing your website and online data from hackers.
Securing an Open S3 Bucket
It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of Sennheiser, the quickest way to fix this error would be to:
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
For Sennheiser Customers
If you’re a customer of Sennheiser and are concerned about how this breach might impact you, contact the company directly to find out what steps it's taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy. It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered Sennheiser’s data breach as part of a huge web mapping project. Our researchers use large-scale web scanners to search for unsecured data stores containing information that shouldn’t be exposed. They then examine each data store for any data being leaked.
Our team was able to access this S3 bucket because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the data, usually a commercial business.
As ethical hackers, we’re obliged to inform a company when we discover flaws in its online security. We reached out to Sennheiser not only to let it know about the vulnerability but also to suggest ways to make its system secure.
These ethics also mean we carry a responsibility to the public. Sennheiser’s users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
We have no evidence or way of knowing whether the data in our reports have been accessed or leaked by anyone else; only the bucket’s owner can know that.
We do our best to prevent this from happening by reaching out to the companies and ensuring they secure their leaking database as soon as possible.
We never sell, store, or expose any information we encounter during our security research.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.
This has included an enormous data breach exposing the data of 10,000s of American restaurant diners. We also revealed that a company owned by European hotel giant AccorHotels compromised the privacy and security of hotel guests worldwide. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
Introducing The Leak Box
The Leak Box is hosted on the Dark Web and allows ethical hackers to anonymously report any data breach they find online. Alternatively, anyone can submit a breach here on vpnMentor, any time, from anywhere, without compromising your privacy.