At Maropost, we take security of all our clients’ data seriously. Our platform is hosted in state-of-the-art data centers. Our employees are required to complete annual security awareness trainings and their completion of the training tracked.
A recent article describing the exposure of a log file held several inaccuracies. The actual timeline of the event is as follows:
- July 20, 2019, Maropost Employee incorrectly applied a global rule that left port 9200 open to public, instead of following standard procedure
- Sample logs were uploaded to the log server daily, the information reflected log activity from ten days prior to the current date
- Logs were automatically purge daily, following the six days purging rule set on the server
- On January 30, 2020 CyberNews gained access to a MTA log file on a test server
- Feb 18, 2020 was the last day that information flowed to the log server, representing log data up to February 8, 2020
- The last day that log existed on the log server was Feb 24, 2020,
The log exposure was not to the degree as reported and certainly not a data breach. As mentioned above, it was a misconfiguration of a test server led to a port being open to the public network. This test server contained the log file used to test the performance of a service – which held a handful of MTA events that contained randomized email addresses (no first name, no last name, no phone number, no client names, or any other identifiable information was within the log file) some real and some not from a customer log that was approved for use.
Corrective measures to prevent the exposure of any logs from happening again, whether a test or not, have been implemented.
We recognize the trust that our clients place with us, work hard every day to earn it, and I apologize for any strain the dramatized versions of this event may have caused.
Ross Andrew Paquette
Chairman & CEO