The California-based company is a leader in laser-engraved metal business cards. Its customers include several high-profile organizations such as Google, Tesla, Nike, and Wells Fargo.
Sensitive Customer Data Submitted to MMBC is Exposed
Unfortunately, according to our investigation, MMBC’s storage practices might have allowed customer information to leak online. Our team found the personal email addresses, cell phone numbers, and home addresses of hundreds of high-level executives. And we found the business information of thousands more individuals.
Names, addresses, emails, and phone numbers leaked
Our security team found 18,770 invoices and 25,802 order proofs, spanning from 2020 to 2022. In total, over 240,000 files were stored insecurely. MMBC has not responded to us or resolved the issue. We were able to find information about individuals’ private investments and memberships in exclusive clubs by analyzing these files.
Some of the companies affected include Cisco, IBM, Oracle, John Hancock, and Wells Fargo. We also found information belonging to people working in government agencies, such as the Department of Homeland Security, the Federal Aviation Agency, and the National Aeronautics and Space Administration (NASA).
We sent an email to MMBC to alert them about the exposed data three days after we discovered it. We sent many subsequent emails in the following months, but the company has not responded or repaired the breach.
Timeline
This is the timeline of events: Aaron Phillips, the cybersecurity professional who discovered this breach, commented, “I don’t understand why My Metal Business Card ignored our attempts to bring this to their attention. We’ve never seen a company refuse to acknowledge a breach of their backend systems for this long.”
Cybercrime Attacks Targeting Executive Management
While any data leak involving phone numbers, email addresses, other PII, etc., is a matter of concern, the MMBC leak could cause serious problems for the affected companies. C-level executives and executive management have access to sensitive information. That makes them a lucrative target for cybercriminals. Since most cyberattacks against high-profile companies are financially motivated, malicious actors target people and accounts that hold key information. In fact, a study from SecurityAdvisor found executives face 50 times the number of phishing attacks compared to an average employee. In 2020, 84% of C-level executives said they were the targets of at least one cyberattack in the previous year. Phishing attacks make up over half of these incidents, and most IT leaders agree that this is the most prominent attack C-level executives face.
84% of C-level executives say they had been targeted by at least one cyberattack in the past year, with phishing attacks again being the most common (54%). 78% of IT leaders say the C-Suite is the most likely to be targeted by phishing attacks. 76% of CEOs admit to bypassing security protocols to get something done faster, sacrificing security for speed.
There is also a significant rise in CEO fraud, where attackers impersonate executives to dupe other employees into making wire transfers, sign documents, or hand over sensitive information.
Nine Months Later and Still No Fix
According to the evidence and facts we have, VPNOverview.com is publishing this article with no fix currently in place. The risk to customers is still highly possible. We took every precaution to keep the details of this breach private. But customers of My Metal Business Card need to be aware that any information they provide to the company could become publicly available. When asked for his opinion of the breach, Aaron said, “I’m at a loss for words. I’ve had a long career in IT before I started working in cybersecurity. I’m struggling to remember any company I’ve ever worked with that would let a data breach persist for this long. Maybe they have a good excuse, but they sure didn’t share it with us. 9 months later and still no fix. It’s disappointing.”
