Encryption provider for Sony leaks data for over a year

A server at encryption services company ENC Security, which serves more than 12 million customers including Sony and Lexar, has been leaking data since 2021.

An investigation by technology news site Cyber News into the Netherlands-based security provider has revealed a flaw in its software which has caused it to leak configuration and certificate files from May 27, 2021 to November 9, 2022.

The data stored inside the vulnerable server included a range of information used to authenticate customers’ identities. These included HMAC message authentication codes, Simple Mail Transfer Protocol (SMTP) credentials, API keys used for licensing payment and email marketing via Mailchimp, access keys for payment platform Adyen and public and private keys stored in.pem format.  

If accessed by unauthorized parties, this data could be exploited by malicious parties for a range of threat vectors, including phishing and ransomware. It could also be used to expose confidential customer information.

An ENC Security spokesperson said to Cyber News that the company “take[s] the security and protection of [its] data seriously” and that findings like the vulnerability are “researched and remediated with appropriate measures [taken]”.

The vulnerability, which according to ENC Security was due to configuration issues with a third-party supplier, was resolved soon after the company was alerted to it.