ENC Security, the encryption provider for Sony and Lexar, leaked sensitive data for over a year

CyberNews experts discovered that ENC Security, a Netherlands software company, had been leaking critical business data since May 2021.

Original post at https://cybernews.com/security/encsecurity-leaked-sensitive-data/

When you buy a Sony, Lexar, or Sandisk USB key or any other storage device, it comes with an encryption solution to keep your data safe. The software is developed by a third-party vendor – ENC Security.

Netherlands-based company with 12 million users worldwide provides “military-grade data protection” solutions with its popular DataVault encryption software.

As it turns out, ENC Security had been leaking its configuration and certificate files for more than a year, the Cybernews research team discovered.

“The data that was leaking for over a year is nothing less than a goldmine for threat actors,” Cybernews researcher Martynas Vareikis said.

The company said a misconfiguration by a third-party supplier caused the issue and fixed it immediately upon notification.

The discovery

The data inside the leaky server included Simple Mail Transfer Protocol (SMTP) credentials for sales channels, the single payment platform’s Adyen keys, email marketing company’s Mailchimp API keys, licensing payment API keys, HMAC message authentication codes, and public and private keys stored in .pem format.

The data was accessible from 27 May 2021 up until 9 November 2022. The server was closed after Cybernews disclosed the vulnerability to ENC Security.

According to Vareikis, the discovery is worrying since bad actors could exploit the aforementioned data for a variety of cyberattacks – from phishing to ransomware.

For example, sales communication channels could be used to phish clients by sending them fake invoices or spreading malware via trusted email addresses.

“Mailchimp API keys add even more value for the malicious actors interested in phishing campaigns, as it allows them to send massive marketing campaigns and view/collect leads. Having a client list and the ability to use real email for phishing campaigns is nothing less than a goldmine for threat actors,” Vareikis explained.

Ransomware operators exploit .pem files – the keys left inside could result in unauthorized access or even a server takeover.

The repercussions of such a takeover could be devastating. Threat actors might switch the download file with an infected one.

“Having clients such as SanDisk, Sony, Lexar, and more promoting (TrustPilot reviewers complain being forced into using this software when purchasing thumb drives) your infected files would produce one of the biggest ransomware campaigns yet,” Vareikis explained.

ECN Security says its solution is downloaded over 2,000 times monthly.

Payment API keys could expose sensitive client information to the public.

Company’s response

ENC Security said it had taken swift action after analyzing the issue discovered by the Cybernews research team. The vulnerability concerned a misconfiguration by a third-party supplier, ENC Security told Cybernews. The issue is now resolved.

“At ENC Security we take the security and protection of our data seriously. Every finding is thoroughly researched and remediated with appropriate measures. Relevant measures are taken when required, amongst which security measures, informing customers and further enhancing security,” the company’s spokesperson said.

Pelissier discovery

Vareikis believes the Cybernews discovery is no less worrying than the researcher’s Sylvain Pelissier discovery in December 2021.

If you want to read more about Pelissier’s discovery read the post published by CyberNews.

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ENC Security)

[adrotate banner=”5″]

[adrotate banner=”13″]