Customer Data Breach at Zotac Exposes Personal Information

Zotac, a prominent manufacturer of computer hardware, has been involved in a significant data breach incident. YouTuber GamersNexus first reported this alarming development in a video posted yesterday.

According to GamersNexus, a simple Google search using the term “Zotac RMA” can reveal customers' email addresses, approved RMA claims, and even invoices from major companies. The video demonstrated that the first result from such a search displayed a customer's personal email address and an approved RMA claim, with similar sensitive information appearing in subsequent results.

“This isn't just an SEO problem; this is a privacy and server configuration problem,” GamersNexus stated. “Documents like invoices, credit memos, and even chat logs with personal information were publicly accessible and searchable on Google. This is unacceptable.”

The breach appears to be a result of misconfigured server settings that allowed these sensitive documents to be indexed by search engines. Notably, the breach affected both individual consumers and business-to-business transactions. Documents revealed included proof of purchase, chat logs, invoices, and even personal addresses and phone numbers.

GamersNexus highlighted the severity of the issue by showcasing a variety of documents, including a bill of lading from Micro Center and an Amazon order history. The investigation also uncovered sensitive business information, such as pricing and credit memos, which could potentially give competitors an unfair advantage.

The breach was initially brought to light by a viewer of GamersNexus, who discovered their personal information through a Google search. Despite notifying Zotac, the issue was not fully addressed until GamersNexus intervened and contacted some of Zotac's business partners. This pressure led to a swift response from Zotac, who began to take corrective actions.

With the help of a viewer, we have discovered a major breach of privacy at a hardware vendor whereupon GN was able to download customer personal information, addresses, phone numbers, and also business-to-business invoices & orders. The company has not replied to GN. We have 1/3

— GamersNexus (@GamersNexus) July 5, 2024

In response to the breach, Zotac has disabled the upload attachment button on its website and has instructed customers to email attachments to a separate email inbox as an interim fix. They have also reconfigured the server permissions to prevent further leaks.

While these actions indicate that Zotac is taking steps to address the issue, the breach raises significant concerns about the company's data security practices. The exposure of sensitive information, both personal and business-related, underscores the need for stricter data protection measures.

GamersNexus also issued a public service announcement, advising consumers to be cautious about the information they upload for RMA purposes. They recommend redacting unnecessary personal details and ensuring that sensitive information is not included in uploads. Consumers and businesses that have submitted RMA requests to Zotac are urged to remain vigilant and take proactive steps to protect their sensitive information.