Tech Data has admitted that "a server associated with our StreamOne marketplace" had a security vulnerability, but says there is no evidence that data on the server was misused.
The distributor told CRN Australia that the company "recently learned of a security vulnerability " on the server and that "Within hours of learning of this, the security vulnerability was corrected, and the server was disabled."
"Based on what we know at this time, there is no evidence that the data stored on the affected server was misused for any unauthorised transactions or other fraud," the company told CRN in a statement. "We are continuing to investigate this incident and will satisfy all data reporting requirements, as needed," the company added.
The server did not store credit card numbers, bank account details or credentials. It may, however, have stored "a combination of business data such as information found on a business card and certain other information, such as one-time-use credentials to activate a specific cloud service, and date and time of service activations."
Tech Data's statement came after web privacy service vpnMentor reported that its security researchers had found a "major" data leak at Tech Data that exposed 264 GBytes of client and employee corporate and personal data.
vpnMentor said its researchers discovered the data leak and reached out to Tech Data Sunday, with Tech Data's team responding to a follow-up contact and fixing the data leak Tuesday. The firm also claimed that tech Data was "leaking system-wide data. This contained email and personal user data, as well as reseller contact and invoice information, payment and credit card data, internal security logs, unencrypted logins and passwords, and more.
Tech Data denies that it leaked data of that sort.
TechCrunch also reported that the records exposed on the Tech Data server contained partial payment information such as card type, cardholder names and expiration dates. TechCrunch indicated that none of the leaking data was encrypted except for obfuscated credit card numbers.
TechCrunch journalist Zack Whittaker said in an email that he stood by his reporting, while vpnMentor didn't immediately responded to requests for comment. TechCrunch had spoken with the vpnMentor researchers and examined a portion of the leaked records. vpnMentor said security researchers Noam Rotem and Ran Locar were the ones to identify the Tech Data data leak.
Joseph F. Kovar contributed to this story. Simon Sharwood at CRN Australia added local comment and edited the story.