In a significant data breach, Peak Design has revealed that approximately half a million records from the past decade were exposed due to a lapse in password protection during a data migration process. The leak, discovered by Cybernews, affected customer service tickets from October 2013 to May 2023. This data, which included customer names, emails, shipping addresses, and order details, was visible publicly because an Elasticsearch server was inadvertently left unprotected.
The breach came to light when Cybernews reported the issue on March 25, 2024, and confirmed that the data had been indexed by search engines by April 24. The compromised data did not include sensitive information such as passwords, credit card details, or social security numbers, but the existence of a ransom note suggested that the data had been accessed by unauthorized parties.
Peak Design promptly addressed the situation, explaining that the breach resulted from a configuration error during a server migration. Although the company confirmed the incident and provided details, they stressed that there was no evidence of data misuse or distribution. The exposed data was restricted to customer service interactions, and Peak Design has since implemented additional security measures and revised its protocols to prevent future breaches.
In response to the incident, Peak Design is offering guidance for customers concerned about identity theft and has increased its focus on data protection. The company has assured customers that no sensitive personal information was compromised and is taking steps to enhance its security practices and improve employee training to mitigate future risks.
Reference:
