Security Lapse at Veritone AI Exposes Vast Amounts of US Govt Data

Cybersecurity firm UpGuard has reported that Veritone Inc., an AI technology provider, inadvertently exposed around 550GB of sensitive US government data. This massive security lapse involved approximately 1.664 billion documents on two unsecured Elasticsearch servers, discovered on March 23 and 24, 2024.

The exposed data, no longer publicly accessible as of March 30, included employee credentials, AI training data, and information from high-profile government bodies such as the Department of Homeland Security and Veterans Affairs.

Veritone leak analysis

The discovery was made by UpGuard's research analysts, who first stumbled upon an unprotected Elasticsearch server on the Microsoft Azure Government Cloud. This initial server contained 162GB spread across 464 million documents. A day later, a second server was located, containing an even larger dataset of 390GB across more than 1.2 billion documents. These servers, identified through DNS to belong to the veritone.com domain, were configured to allow anonymous global access.

Upon discovery, UpGuard immediately notified Veritone on March 24. Veritone's response included initiating contact with the third-party bug bounty platform, Inspectiv.com, which subsequently confirmed the breach with Veritone. By March 30, Veritone had secured the servers, and the data was made inaccessible to the public.

The data mishap exposed a range of sensitive information, including:

• Internal Employee Data: Usernames, full names, email addresses, and internal credentials, including application tokens, and plaintext passwords.
• AI Training Data: Metadata for AI models, including scores, sources, and timestamps.
• Client Data: Crucial information relating to US government agencies, including operational details, usernames, and system logs containing personnel details.

Implications

This incident underscores the vulnerabilities associated with storing massive datasets required by AI technologies. The exposed data not only included sensitive internal information but also detailed client data from critical US government sectors, thus posing a potential national security risk. The unauthorized access or misuse of these credentials could lead to further breaches within government networks, exacerbating the severity of the incident.

It is, however, important to note that there have been no signs of the exposed data having been stolen by malicious actors or circulated in cybercrime forums. Though exposed databases are quickly indexed and often exfiltrated by automated crawlers, it is unknown whether this is true with the Veritone AI incident.

Organizations using Elasticsearch and similar technologies must ensure that their servers are configured correctly to require authentication, a basic yet crucial setting to prevent unauthorized access. Regular audits and real-time monitoring of configurations are necessary to avoid such oversights, especially when handling sensitive data.