Zotac breakdown: RMA documents and dealer invoices can be viewed online
An incorrect server setting caused Google to index countless documents from Zotac USA. Private data and invoices to resellers thus became public.
Quite an oopsie - Zotac made customer data publicly available.
(Image: jurgenfr/ Shutterstock.com)
- Mark Mantel
- Nico Ernst
A minor oversight had a major impact on the US branch of hardware manufacturer Zotac. Documents from countless warranty cases and other business transactions were accessible online via simple search engine queries, for example via Google.
This also affected documents that were uploaded via the official RMA (Return Merchandise Authorization) form. This mainly included invoices that customers submitted as proof of purchase. Names, home and email addresses and, where applicable, telephone numbers could be viewed. Zotac sells graphics cards and mini PCs, among other things.
The YouTube channel "Gamers Nexus" drew attention to this. A viewer pointed out the problem after finding his own RMA case via a Google search of his own name. This case was a year old - so the problem had existed for at least that long. Apparently, all files uploaded via the upload form on Zotac's website ended up in a directory of a web server that was marked as indexable for search engines and accessible via the public Internet.
Only improved after pressure
Gamers Nexus informed Zotac about the problem, and a few days later the viewer's document was no longer accessible. However, other documents that the YouTube channel was able to view and show in its video were. These include a number of invoices that Zotac sent to resellers in the USA. They list graphics cards and other devices in detail, including prices and payment terms. Large US retailers such as Micro Center or the PC provider Cyberpower were also able to compare their conditions with those of direct competitors. The documents date back to 2021.
It was only when Gamers Nexus informed Zotac and commercial customers about these documents that things started to move quickly: according to Steve Burke, founder and moderator of the channel, the misconfiguration was changed within four hours. However, the documents are not yet off the net. They were still accessible via the cache of search engines last weekend, as heise online randomly checked. For this to no longer work, Zotac would have to submit deletion requests. It is currently not known whether this has already been done. Steve Burke recommended this to the company in a conversation, as he told heise online.
What customers and companies can do
Two lessons can be learned from this case: If companies – justifiably – request a proof of purchase, for example, to process a warranty claim, this should be anonymized as far as possible and sent by email. If there is only a web form for uploading, you should be particularly careful. If possible, no uncensored invoices with personal data should be uploaded there.
And for companies that operate such systems, the same applies as ever: customer data must not be collected in a publicly accessible directory as in a web drive storage system, not least for legal reasons. Such "browsable directories" on the open Internet are not only unacceptable for data protection reasons, but are also an ideal point of attack for spying and subsequent attempts to break into a network.
(olb)