Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Scaleway SSD with customer data purchased on classified ads website by French vlogger
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Scaleway SSD with customer data purchased on classified ads website by French vlogger

In a May 2021 tweet, the French vlogger Micode asked their Twitter followers to identify the data on an SSD they purchased on the local classified ads website leboncoin:

What followed was a series of 3 videos from Micode:

Micode has declined to name the provider directly and the provider themselves have not, to my knowledge, issued an official statement regarding this data disclosure.

The provider is Scaleway and the SSD most probably comes from a Suchard (VC1S) hypervisor, judging by the dates and the fact that it is SATA (Tagada and newer hypervisors utilize NVMe storage).

I state this information in the capacity as a former Scaleway employee who left the enterprise several years ago. During my employment, Scaleway did not regularly resell decommissioned hardware.

I don't know how the SSD ended up for sale on leboncoin, whether it was a theft or a change in policy regarding decommissioned hardware. However, in my opinion Scaleway's data center logistics were never that good, and it would not surprise me to learn that someone walked out of the data center with some SSDs from a decommissioning.

I am willing to provide proof of employment to a moderator for verification if necessary.

Comments

  • Nominating @angstrom to welcome this guy as he does this very well.

    Thanked by 1angstrom
  • DPDP Administrator, The Domain Guy

    @Boogeyman said:
    Nominating @angstrom to welcome this guy as he does this very well.

    I can step in on behalf of angstrom for this one.

    Thanked by 1angstrom
  • DPDP Administrator, The Domain Guy

    Welcome to LowEndTalk and congratulations on your first post.

    The LowEndDetectives will be with you shortly.

    Thank you for your patience.

    Thanked by 4angstrom imok JasonM tjn
  • edited July 2021

    Scaleway have released a blog post (currently only in French) confirming the incident: https://blog.scaleway.com/incident-securitaire-video-youtube/

    I am very dubious of the claim that they informed customers immediately, as I have heard that the responsible team at Scaleway was asked in May 2021 to locate the customers after Scaleway were informed by Micode of the possession of customer data.

    If any such customer exists, perhaps they would be kind enough to tell us when they were informed their data was exposed :smiley:

    It is sad, but not surprising, that Scaleway were not more proactive and transparent in their messaging about this. The blog release after a three part video series is damage control and nothing more.

  • adelxfadelxf Member

    The concerned customers (I am one of them) received a support ticket on June 2nd

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2021

    They gained a lot of instant respect in the industry for releasing the Scaleway brand but I always felt it was undeserved because I remember quite fondly that they were first Online.net.

    Though I am surprised that a working disk ever made it out of their racks. Used to be that you’d have to fight tooth and nail to get them to abandon a dead drive. No one got more mileage out of a drive than offline.net.

    Funny that this actually had me wondering if they’re a cleaner operation now.

  • quicksilver03quicksilver03 Member, Host Rep

    IANAL of course, but it looks to me that this vlogger has publicly admitted to purchase and possession of stolen goods (recel de vol in French), for which the penalties can go up to 5 years in prison and up to 375K euros in fines. And that might be nothing compared to the intellectual property ramifications.

  • @jar said:
    Though I am surprised that a working disk ever made it out of their racks. Used to be that you’d have to fight tooth and nail to get them to abandon a dead drive. No one got more mileage out of a drive than offline.net.

    The drive comes out functional if the server dies first. Atom C2000 CPU ;)

    Thanked by 1jar
  • @quicksilver03 said:
    IANAL of course, but it looks to me that this vlogger has publicly admitted to purchase and possession of stolen goods (recel de vol in French), for which the penalties can go up to 5 years in prison and up to 375K euros in fines. And that might be nothing compared to the intellectual property ramifications.

    Does he actually admit that? And even more that he knew it was stolen?

  • quicksilver03quicksilver03 Member, Host Rep

    In the blog post linked by Moonlight_Trenchcoat, Scaleway states that they have reported the theft to the authorities when it happened, about a year ago.

    Watching the videos requires a great deal of patience because of the heavy editing (and the vlogger's way of talking), but in episode 3 he eventually states that the disk belonged to a hosting company. He'd have a hard time claiming he didn't know it was stolen, since he has so many YouTube videos in which he claims to be an IT expert.

    As for the disk, the physical object is Scaleway's property, so it's up to them to decide what to do. The data however is the property of the various Scaleway customers, and that's up to them to decide whether or not to sue Scaleway for breach of contract and/or the vlogger for possession of stolen goods.

    The vlogger's position might be even worse if he did receive revenue from the videos, say in the form of ad revenue.

    Thanked by 1JasonM
  • JabJabJabJab Member

    @adelxf said: The concerned customers (I am one of them) received a support ticket on June 2nd

    This gonna sounds a little rude, but why you decided to share French version of text (not English or both...) and as a fucking screenshot, not a text?

    Thanked by 1sayem314
  • hanoihanoi Member
    edited July 2021

    interesting, when i type scaleway on twitter, it suggest this drama scaleway micode all content from French. I'm surprise 2 days passed but this still not exist on any online newspaper, even on any English forum, reddit except LowEndTalk

  • Since Scaleway did not release their statement in English, below is the original French and English translation.

    The YouTuber they talk about is Micode and if Scaleway knew for over 1 year, why do they only mention it now?

    Maybe they consider "transparency to customers" as their top priority going forward ;)

    Let us see who has the better SEO :smile:

    L’envers du décor d’un incident sécuritaire suite à la publication d’une vidéo sur YouTube : la protection des données est notre quotidien et notre priorité absolue

    Il y a plus d’un an, nous avons fait l’objet du vol d’un SSD lors d’un transport sécurisé entre deux de nos datacenters. Nous avons sans délai porté plainte et prévenu la clientèle potentiellement impactée.

    Rebondissement insoupçonné, très récemment, un Youtubeur, préparant un sujet sur l’effacement des données et de leur persistance après un formatage, a acheté sur un site de petites annonces ce disque SSD.

    Puisque la sécurité des données de nos clients est une priorité absolue, nous avons rapidement collaboré avec ce Youtubeur pour récupérer le SSD et il nous a assuré par écrit qu’il n’existait plus de copie.

    Cet événement a également permis une avancée significative de l’enquête de police en cours, qui par ailleurs, nous empêche de pouvoir communiquer davantage à ce sujet.

    En réponse à cet incident, nous avons effectué un audit complet de nos processus de transport de médias. Un contrôle renforcé de ces transports a été mis en place. Par exemple, le transport de matériel de stockage est dorénavant assuré dans des mallettes durcies équipées de traceurs GPS.

    Nous effectuons des audits réguliers de nos infrastructures dans le cadre de plusieurs normes (ISO 27001, HDS) et continuons à investir dans ce sens. Pour protéger vos données le plus efficacement possible, Scaleway évolue en permanence avec les standards du marché.

    Fort heureusement, cet incident n’a pas endommagé l’activité commerciale de nos clients. En revanche, la cybercriminalité est un réel fléau que nous nous devons tous de combattre, avec professionnalisme et discrétion. L’actualité évoque régulièrement des incidents majeurs chez des grands acteurs qui compromettent les données personnelles de millions, parfois de milliards de particuliers, ou alors anéantissent des activités commerciales.

    Enfin et surtout, cet incident permet de mettre en lumière le travail qu’effectuent les équipes de Scaleway au niveau de la sécurité. Parmi plus de 300 collaborateurs indirectement impliqués, une douzaine travaillent sans relâche pour repousser les attaques quotidiennes, majoritairement de l’extérieur et d’origines extra-territoriales. Ce sont ces collaborateurs qu’il convient avant toute chose de saluer, car derrière chaque incident se cachent des milliers d’autres qui ne surviennent pas grâce à leur travail acharné.

    Translation:

    Behind the scenes of a security incident following the publication of a video on YouTube: data protection is our daily life and our top priority

    Over a year ago, an SSD was stolen during a secure transport between two of our data centers. We immediately lodged a complaint and warned potentially affected customers.

    Unsuspected twist, very recently, a YouTuber, preparing a topic on the erasure of data and their persistence after formatting, bought this SSD drive on a classifieds site.

    Since the security of our customers' data is a top priority, we quickly worked with this YouTuber to recover the SSD and he assured us in writing that there was no more copy.

    This event also allowed a significant advance in the current police investigation, which also prevents us from being able to communicate further on this subject.

    In response to this incident, we performed a full audit of our media transport processes. Reinforced control of this transport has been put in place. For example, the transport of storage equipment is now ensured in hardened cases equipped with GPS trackers.

    We carry out regular audits of our infrastructures within the framework of several standards (ISO 27001, HDS) and continue to invest in this direction. To protect your data as effectively as possible, Scaleway is constantly evolving with market standards.

    Fortunately, this incident did not damage the business activity of our customers. On the other hand, cybercrime is a real scourge that we all owe it to ourselves to fight, with professionalism and discretion. The news regularly evokes major incidents among major players that compromise the personal data of millions, sometimes billions of individuals, or destroy business activities.

    Last but not least, this incident sheds light on the work carried out by the Scaleway teams in terms of security. Among more than 300 employees indirectly involved, a dozen work tirelessly to repel daily attacks, mostly from outside and from extraterritorial origins. It is these collaborators who should above all be saluted, because behind every incident lie thousands of others who do not happen thanks to their hard work.

  • NeoonNeoon Community Contributor, Veteran

    Question is, do they re-brand again?

  • merojemeroje Member

    @JabJab said:

    @adelxf said: The concerned customers (I am one of them) received a support ticket on June 2nd

    This gonna sounds a little rude, but why you decided to share French version of text (not English or both...) and as a fucking screenshot, not a text?

    Dude reposted my tweet

    which is why it's a screenshot.

    The email for this ticket is dated Date: Wed, 02 Jun 2021 13:06:27 +0000 and here's the english part:


    Scaleway makes every effort to guarantee its customers an optimal level of security, with processes in place that are constantly being improved and regular audits performed.

    Despite our best efforts, we would like to inform you that some of the data you have entrusted to us on the 290xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx instance has been potentially compromised as a result of a security incident.

    In order to protect the environment, Scaleway destroys or recycles its hard drives that are no longer in use and erases all the data contained therein.We were the victim of a theft of a hard disk during its transport for formatting and destruction, thus causing a security incident and a potential leak of the data that was attached to it Scaleway has obtained the return of the disk and is currently reviewing the processes involved so that this very exceptional incident does not happen again. The authorities are of course notified and mobilized. Please contact us specifically if you would like detailed information about this incident. It will then be your responsibility to notify the CNIL if the incident involves personal data for you. We will keep you informed about the evolution of the incident.

    We apologize for the inconvenience caused and remain at your disposal for any further information.

    --
    Cordialement / Best regards,
    The Excellence Team

    Thanked by 2adelxf JabJab
  • adelxfadelxf Member

    Hi Jerome, I didn't know it came from you.
    I found the screenshot on a Telegram channel

  • merojemeroje Member

    No worries, now you got the plaintext :)

  • JabJabJabJab Member

    @meroje said: Dude reposted my tweet

    From his message I would said he claims he got that message. Maybe he was just too lazy to screenshot his own e-mail and took your twitter picture? Confusing, 2021 year is a strange year, soon everything will be video-only.

    Thanks for plain text and English version!

  • @meroje said:
    The email for this ticket is dated Date: Wed, 02 Jun 2021 13:06:27 +0000 and here's the english part:


    Scaleway makes every effort to guarantee its customers an optimal level of security, with processes in place that are constantly being improved and regular audits performed.

    Despite our best efforts, we would like to inform you that some of the data you have entrusted to us on the 290xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx instance has been potentially compromised as a result of a security incident.

    In order to protect the environment, Scaleway destroys or recycles its hard drives that are no longer in use and erases all the data contained therein.We were the victim of a theft of a hard disk during its transport for formatting and destruction, thus causing a security incident and a potential leak of the data that was attached to it Scaleway has obtained the return of the disk and is currently reviewing the processes involved so that this very exceptional incident does not happen again. The authorities are of course notified and mobilized. Please contact us specifically if you would like detailed information about this incident. It will then be your responsibility to notify the CNIL if the incident involves personal data for you. We will keep you informed about the evolution of the incident.

    We apologize for the inconvenience caused and remain at your disposal for any further information.

    --
    Cordialement / Best regards,
    The Excellence Team

    Thanks for this. I see two possibilities:

    1. Scaleway's blog post is true and they willfully ignored GDPR for over 1 year
    2. Scaleway's blog post is not true and they were not aware of the data leak until May 31st (72 hours before you received notification)
  • merojemeroje Member

    Thanks for this. I see two possibilities:

    1. Scaleway's blog post is true and they willfully ignored GDPR for over 1 year
    2. Scaleway's blog post is not true and they were not aware of the data leak until May 31st (72 hours before you received notification)

    I’m as confused as you are, think I will request clarifications on the ticket

Sign In or Register to comment.