French technology giant Bull Groupe said an internal sales and marketing database containing customer contact names and network configurations was exposed on one of the company's data processing servers.
"Due to human error, certain pages of a sales and marketing database containing 'customer success stories' were exposed. This base resided on an external Web server outside the firewall," said a company spokesman, adding that the exposed files were immediately protected. "It should have been password-protected and the protection was no longer there, and we are leading an investigation to see exactly what happened."
The glitch was announced Aug. 31, but the Paris-based company said it didn't know how long the data had been exposed. Bull sells management and security software to a range of international clients, including France Telecom, Barclays Bank PLC and the British Royal Air Force. The company, which does business in more than 100 countries, recently spun off its Evidian subsidiary to offer secure networking products to the U.S. market.
According to the spokesman, who declined to be named, the flaw was discovered by several security analysts, including those at Paris-based Kitetoa.com, a Web site of security whistle-blowers and analysts, which alerted the company. The Bull spokesman said Kitetoa had sent the company an alert in April for a similar but unrelated problem also linked to the exposure of a server's file structure.
Kitetoa said in a statement on its Web site that the glitch allowed it to view confidential information on the type and configuration of servers sold by Bull as well as customer names and contact information. Exposed information on a Bull Web page included the type and location of servers used in a database of stolen vehicles, run by the French military police; details on the computer networks used in the Russian tax collection agency; security initiatives at French bank Credit Agricole; and server information and contact names of people in the British Royal Air Force. Kitetoa noted that the site runs on Lotus Domino software, which is marketed by Bull's U.S. competitor, IBM.
A Kitetoa spokesman, who also declined to be named, said no special tools were used to access the information, only a Web browser.
"I think that rather than 'human errors,' we exploit human stupidity," wrote the spokesman via e-mail. "As these companies feel it is important to keep some data secret, they should do it properly. Putting confidential data on a public Web server with an external IP address is stupid."
While the Bull spokesman insisted that no sensitive or confidential information was exposed on the database, he did acknowledge that the data included customer names and contact information, as well as the configuration and cost of equipment sold.
"This information should not have been visible, but it was not sensitive information which would always be behind the firewall, and the firewall was not breached," the spokesman said. He said customers were being contacted to alert them of the breach.
The Kitetoa spokesman noted, however, that the exposed documents were marked "internal use only" and "confidential data" and could provide useful information to the company's competitors.
"When you're a big company like this one, you don't want your salesman's comments about IBM, [Hewlett-Packard Co.] or Sun exposed, nor do you want your comments about the clients, the amount of money you get from a deal, why you won and why you weren't as good as you could have been on this deal, being exposed," said the spokesman.
"They should not want the technical data on their clients being exposed," he added. "That is dangerous for the clients."
Related links:
- For more security coverage, visit our Security Watch page.
- Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).