We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Report: Data Breach at Fortune 500 Tech Company

vpnMentor Research Team Cybersecurity and Research Lab

The research team at vpnMentor discovered a major data leak at the Tech Data Corporation (NASDAQ: TECD), a Fortune 500 company providing tech products, services, and solutions globally.

vpnMentor’s researchers, led by security researchers Noam Rotem and Ran Locar, identified the consequential data breach that exposes access to 264GB of Tech Data’s client servers, invoices, SAP integrations, plain-text passwords, and much more.

Tech Data recently announced their quarterly earnings reports, which exceeded expectations and reflected a year over year increase (source: Nasdaq). More than 1 in 4 Fortune 500 companies have been hacked in the last decade, so Tech Data is part of an elite, but particularly vulnerable, club.

Timeline of Discovery and Reaction

Data Leak Discovered  June 2, 2019
Reached Out to Tech Data June 2, 2019
Attempted to Contact Tech Data Again June 4, 2019
Tech Data Team Responded June 4, 2019
 Data Leak Fixed June 4, 2019

Editor's Note: It’s worth noting that Tech Data’s team was very professional in handling news of the leak and asked the real questions to solve the problem.  We commend their expertise and dedication.

Information Included in the Data Leak

Tech Data - the 45 year old veteran infrastructure solutions company working with vendors such as Apple, Cisco, Samsung, NortonLifeLock, et al - had a full database leak that seemed to affect much of the corporate and personal data of clients and employees.

We saw that there was a log management server (Graylog) that was leaking system-wide data. This contained email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, and more.

This was a serious leak as far as we could see, so much so that all of the credentials needed to log in to customer accounts were available.

For ethical reasons and considering the vast size of the database, we were unable to thoroughly review all of its contents, and it is possible that more sensitive information was accessible to the public beyond what we have disclosed in this report.

Some of the available data included:

  • Private API keys
  • Bank information
  • Payment details
  • Usernames and unencrypted passwords
  • Full PII (personally identifying information) are visible, including:
    • Full names
    • Job titles
    • Email addresses
    • Postal addresses
    • Telephone numbers
    • Fax numbers

Also included was machine and process information of clients’ internal systems, in which errors were available and that could easily help less-friendly hackers find out more about the system and its mechanics.

The Danger of Exposing this Information

With a simple search of the exposed database, our researchers were able to find the payment information, PII, and full company and account details for end-users and managed service providers (MSPs) - including for a criminal defense attorney, a utilities service provider, and more. There were enough details in this leak wherein a nefarious party could easily access users’ accounts - and possibly gain access to the associated permissions for said accounts.

As Tech Data is such a significant player in the industry, the exposed database left it vulnerable to competitors looking to gain an unfair advantage and for hackers to take control of the systems, exploiting it with ransomware and the like.

One of the private API keys discovered from the database

How We Found the Data Breach

vpnMentor’s research team is currently undertaking a huge web mapping project. Using port scanning to examine known IP blocks reveals gaps in web systems, which are then examined for vulnerabilities, including potential data exposure and breaches.

Tapping into years of experience and know-how, the research team examines the database to confirm its identity.

After identification, we reach out to the database’s owner to report the leak. Whenever possible, we also alert those directly affected. This is our version of putting good karma out on the web – to build a safer and more protected internet.

Advice from the Experts

Could this data leak have been prevented? Absolutely! Companies can avoid such a situation by taking essential security measures immediately, including:

  1. First and foremost, secure your servers.
  2. Implement proper access rules.
  3. Never leave a system that doesn’t require authentication open to the internet.

For more in-depth information on how to protect your business, check out how to secure your website and online database from hackers.

Check Out More Data Leaks We’ve Discovered

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

Additional cybersecurity risks discovered by our team include explicit messages leaked by a dating app, which left vulnerable over 200,000 users - including government employees - to potential blackmail and extortion, as well as the exposure of detailed security logs from a prominent hotel management group.

Please share this report on Facebook or tweet it.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

vpnMentor Research Lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.