VirusTotal apologizes for accidental leak that exposed customer data

Google’s malware scanning platform VirusTotal published an apology on Friday after hundreds of individuals working for defense and intelligence agencies globally had their names and email addresses accidentally exposed by an employee.

In a public statement, VirusTotal said it apologized “for any concern or confusion” the exposure may have caused and said it took place on June 29, when the employee accidentally uploaded a CSV file to the platform.

“This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators. We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”

The company stressed that the incident was not the result of a cyberattack or a vulnerability, but simply human error. It said that since the incident the platform has “implemented new internal processes and technical controls to improve the security and safeguarding of customer data.”

The list of 5,600 customers, which was seen by Recorded Future News, included hundreds of email addresses in the format “firstname.lastname@” for personnel working in sensitive government departments.

It identifies individuals affiliated with U.S. Cyber Command and the National Security Agency, as well as with the Pentagon, the FBI, and a number of U.S. military service branches.

It reveals some military personnel are using email providers other than those connected to official domains as part of their threat intelligence work, with user accounts for some organizations and military commands registered to Gmail, Hotmail, and Yahoo.

From the United Kingdom, it contains the names of a dozen Ministry of Defence personnel as well as emails belonging to staff at the CERT-UK function of the National Cyber Security Centre, a part of GCHQ. Keeping with GCHQ’s email format, the NCSC emails include only an initial for each users’ surname.

Full names are recognisable in the email addresses belonging to specialists working at the MoD, as well as at the Cabinet Office, the Nuclear Decommissioning Authority, and the Pensions Regulator. None of these agencies expressed concern about the incident when contacted by Recorded Future News, and spokespeople generally described it as a low-risk incident.