Peak Design accidentally leaked 10 years of customer data and records

A decade's worth of Peak Design customer data (approximately half a million records) was made public because the information was temporarily not password protected due to a data migration.

The data leak was discovered by Cyber ​​news in a report published this morning. It includes a full summary of the leak, the suspected causes, screenshots supporting the publication's findings, and alleged evidence that the data was viewed by malicious third parties.

“On March 25 Cyber ​​news A research team identified the leak and informed the company. While the data appeared in search engines on April 24, the leaked support tickets span nearly a decade from June 2014 to May 2023, increasing the scope of the leak,” Cyber ​​news writes.”Cyber ​​news Researchers found a ransom note on the company's systems, indicating that the threat actor likely accessed them at least once.”

Peak Design confirmed the data breach to PetaPixels this afternoon.

“You support Peak Design with the confidence that we will protect your privacy. We recently discovered and fixed a data breach in historical customer service tickets,” explains Peter Dering, founder and CEO of Peak Design, in an email to PetaPixels but is aimed at customers.

According to Peak Design, the data includes customer service tickets from October 2013 to May 2023.

“These tickets may include customer names, emails, delivery addresses, order details and correspondence with our customer service team. It is important to note that NO Passwords, credit card information, banking information, social security numbers, or other personal information have been compromised,” says Dering. “If you corresponded with our customer service team during the dates listed above, the contents of that correspondence may have been compromised.”

The company states that it is not aware of any misuse of the information and reiterates that no account credentials, credit card information, bank details or social security numbers were affected by this data breach.

“If you receive any communications from or related to Peak Design that seem suspicious to you, please contact us at [email protected]If you are concerned about identity theft and would like more information about how to protect yourself, visit the Federal Trade Commission's identity theft website.

How the leak occurred

Cyber ​​news reported that the information was publicly visible because Peak Design had not set a password for the so-called Elasticsearch servers.

“The data leak was caused by a publicly accessible Elasticsearch instance. Elasticsearch is an open-source search engine for searching and analyzing large amounts of data on websites or systems,” explains Cybernews. “Access to the Elasticsearch servers should never be made available on the public web without proper authentication, as they are a common target of threat actors seeking user data. Ransomware bots in particular target poorly secured instances and delete data.”

According to Peak Design, this happened as a result of a data migration.

“Last year, Peak Design migrated to a new customer service platform and as part of that migration, we created an internal system that allows agents to quickly search for historical tickets. On March 11, 2024, a security vulnerability was accidentally created when the private server hosting the information was accidentally made externally accessible. On April 25, Peak Design staff Cyber ​​newsan independent cybersecurity research publication, identified the issue and we immediately fixed it. We believe the data was compromised by an unauthorized third party on April 1. We do not know the identity of that party, nor do we know whether they actually stored or shared information, nor are we aware of any misuse of that information,” Dering says.

Peak said the problem arose because a single setting was “incorrectly enabled.” The company has since implemented “an IT approval protocol and increased training” to ensure a leak like this doesn't happen again.

“In addition, we are actively reviewing our privacy protocols and our data handling training program,” adds Dering.

“Your trust means everything to us. The risk of a cyberattack is a reality of doing business in the modern world, and we are responding to this incident with the utmost urgency and seriousness. It is our mission to treat our customers as equals, which for us has always meant clear communication, keeping our word, and respecting your privacy. Thank you for your continued support.”

Cybernews' The full report can be read on the publication's website.