A client has a software vendor who exposed the client’s remote log in credentials to google! I'm looking to get peoples thoughts as to the severity of the risk created by this software vendor.
Here is the summary:
The client has a custom business application made by a software company, we will call them SWX, which has be installed and running for a number of years. During initial install, SWX required 24/7 administrative remote access to the clients server, as SWX has to log in remotely login often for ongoing support of their software.
Recently, SWX inadvertently exposed their own internal support database to the internet. Google was able to index their entire client database, which included ALL client remote access passwords and credentials, including VPN credentials, public IP addresses, protocols, everything! Looking at the dates of the information, it shows that this data was on google (for hackers to see) for at least 2 months!
Upon finding the information, of course we instantly changed passwords, shut down remote access, had google get that information off their search engine, scan for threats, etc.
But what we are left with is risk and liability. I feel SWX created massive risk for the client. There is no way the client can be assured that their system has no backdoor or that it is not compromised in some way, correct? That being the case, the only option the client has to address their current and future liability is to reinstall the operating systems and software on all machines (server and workstations) at the same time, correct?
The reason I am asking for opinions here, is because the clients legal team appears to be unsure of the severity of the SWX's breach from a technical perspective, and what kind of risk and liability SWX created. Therefore, I'm hoping to gather feedback for other IT minded folks, to support what I have been telling them (that this is the worst breach I have ever personally seen).
Therefore, if you can, please let me know:
1) What risk and liability did the software vendor create?
2) What is the technical response that should be done to address the risk/liability? (Should the systems be rebuilt?)
3) Is this a situation in which the client or their legal team should EASILY be able to get outside IT advisers/experts or IT companies to review the situation, and submit their expert opinion, and prove to the software vendor they should pay for a rebuild.
4) Can the software vendor be liable or responsible for more than the cost of the rebuild?
Thanks for all your help!
I would be curious though how it was exposed specifically.