Peak Design data breach exposes customer information for a decade [resolved]

Photography gear company Peak Design suffered a major data breach. According to reports, the exposed data included names, email addresses, home addresses, order information, and even customer service inquiries. To make things worse, it allegedly left almost ten years’ worth of customer information vulnerable.

The leak stemmed from a critical security lapse. Peak Design left an Elasticsearch server, a search engine for internal data analysis, publicly accessible without a password. This essentially left the server wide open on the internet. Folks at Cybernews discovered the leak on April 25, 2024, they say that the leaked data itself dates back to June 2014.

The exposed data poses a significant risk to Peak Design customers. While the information wasn’t live and wouldn’t impact product shipments, it could be exploited in several ways. Scammers could sell the data to marketing agencies or spammers, potentially leading to unwanted solicitations. The data breach also increases the risk of phishing attacks, where emails impersonate Peak Design to steal further information. Additionally, the leaked data could be used for doxxing, the act of publicly revealing private or identifying information.

The situation is further complicated by the discovery of a ransom note left by a ransomware bot on Peak Design’s systems. The note suggests hackers accessed the server and may possess a copy of the data. Cybernews writes that they notified Peak Design and they have secured the server since. However, the company has yet to issue an official statement regarding the breach.

This incident highlights the importance of proper data security. After all, this isn’t the first time something like this has happened. We have many examples, including other photography-related companies like Adobe and Pixsy. Needless to say, companies entrusted with customer information have a responsibility to implement robust security measures. Peak Design’s failure to secure their server demonstrates a critical lapse in protecting sensitive customer data.

We have reached out to Peak Design for comment and will update the article if we hear back.

Update June 5, 2024: Peak Design has issued a statement regarding the incident, and here it is in full:

Hello, Peter here, Peak Design’s Founder and CEO.

You support Peak Design with the confidence that we protect your privacy. We recently discovered and fixed a data compromise involving historical customer service tickets. In the most direct possible terms, here is what you need to know:

What data was compromised?

Peak Design customer service tickets from October 2013 to May 2023. These tickets can include customer names, emails, shipping addresses, order details, and correspondences with our customer service team. It’s important to note that NO passwords, credit card info, bank info, social security numbers, or other personal information was compromised.

Was your data compromised?

If you had correspondence with our customer service team during the aforementioned dates, the contents of that correspondence may have been compromised.

What are the implications for you?

Peak Design is not aware of any misuse of your information, and again, no account credentials, credit card info, bank info, social security numbers were part of this compromise. Regardless, you should be observant and exercise caution. If you receive communication from or relating to Peak Design that seems suspicious, contact us at security@peakdesign.com. If you are concerned about identity theft and would like more information on ways to protect yourself, visit the Federal Trade Commission’s Identity Theft website at https://www.identitytheft.gov.

How did this happen?

Last year Peak Design migrated to a new customer service platform, and as a part of that migration we created an internal system for agents to quickly search historical tickets. On March 11, 2024 a security gap was inadvertently created when the private server hosting the information was accidentally made externally accessible. On April 25th the staff at Cybernews, an independent cybersecurity research publication, detected the problem and we promptly fixed it. We believe the data was compromised on April 1st by an unauthorized third party. We don’t know that party’s identity or if they actually saved or distributed any info, and are not aware of any misuse of that information.

What are we doing to make sure this doesn’t happen again?

This issue happened because a single setting was mistakenly enabled, and we have since put in place an IT approval protocol and enhanced training to prevent this from happening again. Moreover, we are actively reviewing our privacy protocols and data-handling training regimen.

Here is our full privacy policy, purposely written in understandable terms, that explains what data we collect/retain and how we protect it. If you have any questions or concerns please reach out to us at security@peakdesign.com.

Your trust means everything to us. The risk of cyber attack is a reality of doing business in the modern world, and we’re responding to this incident with the utmost haste and seriousness. It is in our mission to treat our customers as peers, which to us has always meant clarity in communication, honoring our word, and respecting your privacy. Thank you for your continued support.

Peter Dering
Founder & CEO

---