Greater than 3 million records and 1.29 terabytes of information belonging to a outstanding artificial intelligence startup have been found exposed on a misconfigured cloud storage system.
Discovered by security researcher Jeremiah Fowler and detailed by Website Planet, the unprotected database was allegedly found to belong to Builder.ai, an AI-powered software development platform provider that had raised $450 million in enterprise capital funding, including a round of $250 million in May 2023.
The exposed database contained a combination of sensitive and operational data that would put each Builder.ai’s clients and internal operations in danger.
Among the many 3 million records was personally identifiable information equivalent to names, email addresses, phone numbers and physical addresses. The database also included project details, including ongoing and accomplished software development plans, client interactions and timelines, which could expose mental property to malicious actors or competitors.
Along with client data, the exposed database included internal communications between Builder.ai employees. In keeping with Fowler, the emails and messages discussed client projects, operational challenges and confidential business strategies. The database also included financial records, including invoices and payment details, increasing the danger of fraudulent activities and financial exploitation.
The breach was attributed to a misconfigured cloud storage system that lacked adequate security settings, allowing unauthorized access. Builder.ai isn’t the primary company to reveal data this fashion and it won’t be the last, though an organization with $450 million in enterprise capital must have processes in place to avoid such potentially dangerous data exposures occurring.
But although saying that Builder.ai must have known higher, what comes next is just as worrisome. Fowler details how, despite sending multiple messages ranging from Oct. 28 onward, the database remained exposed and accessible to one and all for nearly a month. Builder.ai also knew the database was exposed, with an worker telling Fowler by email at one point that “unfortunately, it’s taking longer than we’d like as a result of some complexities with dependent systems” to get the database taken down.
Though Fowler doesn’t say which cloud provider the database was hosted on, if it was Amazon Web Services Inc., it takes perhaps not more than 10 seconds to alter read permission on AWS services equivalent to S3.
Fowler does note that it’s not clear whether the database was owned and managed by Builder.ai directly or via a 3rd party, but that an organization like Builder.ai with an enormous amount of VC funding couldn’t fix an easy security issue, either directly or with a third-party, raises questions.
The length of the exposure and that Builder.ai, which relies within the U.K., did not take motion when advised also raises legal questions under various privacy laws, including the U.K. Data Protection Act 2018, the unique European Union General Data Protection Regulation and the complementary U.K. GDPR.
Image: SiliconANGLE/Ideogram
Your vote of support is significant to us and it helps us keep the content FREE.
One click below supports our mission to offer free, deep, and relevant content.
Join our community on YouTube
Join the community that features greater than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and plenty of more luminaries and experts.
THANK YOU
