Cloud hosting company DigitalOcean announced a data breach that led to the leak of the customer billing data, reported Bleeping Computer. The attack, which occurred for a few weeks, was disclosed to customers via email.
According to the notification email, “An unauthorized user gained access to some of your billing account details through a flaw that has been fixed. This exposure impacted a small percentage of our customers.”
It further informs customers that the incident happened between April 9, 2021 and April 22, 2021. The incident resulted in the leak of sensitive information namely billing name and address, payment card expiration, the last four digits of payment cards, and payment card bank name.
The company assured its clients that it does not store full payment card account numbers and that it was not exposed in the leak. It also said that the user’s DigitalOcean accounts, passwords, and account tokens remain safe.
To ensure the safety of its systems and customers’ data, DigitalOcean said that it “[has] fixed the flaw that enabled this exposure, and unauthorized parties can no longer access this information.” Moreover, the company has informed the government bodies in charge of data protection.
Moreover, “To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of occurring in the future,” as per Tech Crunch.
Tyler Healy, DigitalOcean security chief, said in a statement that only 1% of customers’ billing profiles were involved in the breach. When asked about the specifics of the incident, the company refused to clarify how the breach occurred and which authorities were notified.
The company has clients in Europe in which the General Data Protection Regulation (GDPR). The GDPR imposes a 4% fine on the global annual revenue to companies operating in its jurisdiction.
Bleeping Computer also got in touch with DigitalOcean but the cloud hosting vendor has not responded as of writing.
The incident occurred after the vendor acquired $100 million new debt, as well as another $50 million after it laid off dozens of employees due to financial health concerns. This March, the company launched its initial public offering, allowing it to raise $775 million.
Meanwhile, the company was also involved in a data breach in 2020 which involves the leak of customers’ accounts through a compromised document. A public link showed all accounts.