Thomson Reuters leaves “terabytes” of sensitive data open on the web

Thomson Reuters says that a database containing sensitive information that was open to the public relates to a “small subset” of its OneSource Global Trade product clients.

Cyber research publication Cybernews revealed yesterday (27 October) that the publishing giant had exposed at least 3TB of sensitive data, including plaintext third-party server passwords that could be used for a supply chain attack. 

According to Martynas Vareikis, Information Security Researcher at Cybernews, threat actors could use the email addresses exposed in the dataset to carry out phishing attacks. Attackers could impersonate Thomson Reuters and send the company’s customers fake invoices.

“Information stored on the server is extremely sensitive. Cases like these raise questions about corporate data collection practices. The ramifications of a data leak of such scale are worrying to say the least,” he said.

While three servers were flagged by Cybernews as being publicly accessible, two are designed to be so and do not contain any sensitive information, according to Thomson Reuters. However, the third is a non-production server relating to OneSource, and customers who may have had data logged on that server have been notified. 

The error arose as a result of a misconfigured server. A spokesperson for Thomson Reuters told Legal IT Insider: “The issue was brought to our attention by an ethical security researcher from Cybernews. Upon notification we immediately investigated the findings provided by Cybernews.  Cybernews reported three potentially misconfigured servers.  We can confirm that two of the servers are designed to be publicly accessible and do not contain sensitive information. 

“The third server is a non-production server related to one Thomson Reuters product, our ONESOURCE Global Trade product. The server only houses application logs from the non-production environment associated with a small subset of Thomson Reuters’s Global Trade customers.  We have proactively notified the small subset of customers who may have had data logged on that server. We have also addressed and mitigated the misconfiguration.”

OneSource’s customers include some of the largest corporations in the world. According to the website, the vast majority of OneSource’s customers are in the United States and it has equally strong representation across the professional services, banking and finance, manufacturing, distribution and insurance sectors.