Peak Design Accidentally Leaked 10 Years of Client Data and Records

A hand is seen adjusting a camera inside a partially opened grey camera bag. The background is blurred with a faint outline of trees. The image has the Peak Design logo and text prominently displayed in the center.

A decade’s worth of Peak Design’s client data (about half a million records) leaked publicly because due to a data migration, the information was temporarily not password protected.

The data leak was discovered by Cybernews in a report published this morning. It includes a full summary of the leak, what it believes to have been the cause, and screenshots backing up the publication’s findings as well as supposed proof that the data had been seen by malicious parties.

“On March 25th, the Cybernews research team identified the leak and informed the company. While the data appeared on search engines on April 24th, the leaked support tickets span nearly a decade from June 2014 to May 2023, magnifying the scope of the leak,” Cybernews writes. “Cybernews researchers found a ransom note on the company’s systems, indicating it was likely accessed by the threat actor at least once.”

Peak Design confirmed the data breach to PetaPixel this afternoon.

“You support Peak Design with the confidence that we protect your privacy. We recently discovered and fixed a data compromise involving historical customer service tickets,” Peter Dering, Peak Design’s Founder and CEO explains in an email sent to PetaPixel but is addressed to customers.

Peak Design says that the data includes customer service tickets dating from October 2013 to May 2023.

“These tickets can include customer names, emails, shipping addresses, order details, and correspondences with our customer service team. It’s important to note that no passwords, credit card info, bank info, social security numbers, or other personal information was compromised,” Dering says. “If you had correspondence with our customer service team during the aforementioned dates, the contents of that correspondence may have been compromised.”

The company says it is not aware of any misuse of the information and reiterates that no account credentials, credit card info, bank info, or social security numbers were part of this data leak.

“If you receive communication from or relating to Peak Design that seems suspicious, contact us at [email protected]. If you are concerned about identity theft and would like more information on ways to protect yourself, visit the Federal Trade Commission’s Identity Theft website.

How The Leak Happened

Cybernews reports that the information was visible publicly because Peak Design did not set a password to what are known as Elasticsearch servers.

“The data leak was caused by a publicly accessible Elasticsearch instance. Elasticsearch is an open-source search engine for searching and analyzing large amounts of data on websites or systems,” Cybernews explains. “Access to the Elasticsearch servers should never be exposed to the public web without proper authentication, as it is a common target for threat actors preying on user data. Ransomware bots, especially, target poorly secured instances and wipe data.”

Peak Design says this happened as the result of a data migration.

“Last year Peak Design migrated to a new customer service platform, and as a part of that migration, we created an internal system for agents to quickly search historical tickets. On March 11, 2024, a security gap was inadvertently created when the private server hosting the information was accidentally made externally accessible. On April 25th the staff at Cybernews, an independent cybersecurity research publication, detected the problem and we promptly fixed it. We believe the data was compromised on April 1st by an unauthorized third party. We don’t know that party’s identity or if they actually saved or distributed any info, and are not aware of any misuse of that information,” Dering says.

Peak says that the issue arose because a single setting was “mistakenly enabled” and the company has since put in place “an IT approval protocol and enhanced training” to do its best to ensure such a leak does not happen again.

“Moreover, we are actively reviewing our privacy protocols and data-handling training regimen,” Dering adds.

“Your trust means everything to us. The risk of cyber attack is a reality of doing business in the modern world, and we’re responding to this incident with the utmost haste and seriousness. It is in our mission to treat our customers as peers, which to us has always meant clarity in communication, honoring our word, and respecting your privacy. Thank you for your continued support.”

Cybernews’ full report can be read on the publication’s website.