The probability that Lenovo has earned the infamous record for becoming a subject of the world’s biggest data breach in history is shaping-up fast. The culprit? The still online legacy Iomega storage system harboring a security flaw but still being used as an internal NAS drive that was left within the infrastructure of Lenovo for many months, and were tapped by an external party. Iomega used to be a famous external storage company incorporated in 1980, which was famous for being a trailblazer of early high capacity devices such as the Zip and Jaz disc in the late ‘90s. It merged with Lenovo, creating a subsidiary, a shadow of its former self now known as LenovoEMC.
Vertical Structure, a penetration testing service firm, disclosed the information in their special blog article titled: “Best Practices in Identifying and Remediating Vulnerabilities”. An estimated 13,000 LenovoEMC spreadsheet files were indexed in the data breach, reaching a total size of 36TB were leaked by unknown parties. Yes, you read it right, 36 Terabytes worth of spreadsheets, with a “T”, apparently containing sensitive personal information, including financially sensitive data.
Lenovo confirmed the data breach in their official press release posted in their support page. The bug in the legacy Iomega storage NAS documented as CVE-2019-6160. “A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API. Update to the firmware level (or later) described for your system in the Product Impact section.If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks,” explained LenovoEMC.
The irony with Lenovo’s own press statement is the company itself is the primary victim of its own hardware’s security flaw. During the period of the leak incident, around 5,114 of these legacy vulnerable NAS devices were still in full operations within the network of Lenovo. The sorry state of using these end-of-life devices in daily operations of the company is serious being taken as irresponsible use of equipment from the standpoint of IT security professionals. That means, these devices though operational inside the Lenovo’s own network are actually not supported in any way by its subsidiary LenovoEMC, they were left operating without the presence of any bug fixing process. The primary difference between a support product compared to a discontinued one is the latter’s firmware is no longer patched to fix security flaws.
“Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it,” emphasized Vertical Structure.
The most conflicting advice that Lenovo provided its users about how to handle the CVE issue was to update the firmware. Such advice does not apply for Iomega NAS drives that already reached its life cycle. It is not yet clear if Lenovo has already shutdown the NAS devices that were involved in the data breach incident.