Enterprise software transmits terabytes of data to vendors without customers' knowledge

In one case, a software package sent data to an IP address flagged for hosting malicious programmes

Cyber analytics firm ExtraHop has issued a security advisory outlining four different cases where it found enterprise software 'phoning home' proprietary data without customers' knowledge.

Although ExtraHop didn't disclose the names of the vendors or the software, it revealed that they included endpoint security software, surveillance cameras, security analytics software and device management tool for a hospital.

All these software programmes were quietly transmitting data to servers based outside of customer's network without authorisation.

"The companies are all respected security and IT vendors and, in all likelihood, the phoning home of data was either for a legitimate purpose given their architecture design or the result of a misconfiguration," ExtraHop explained in its advisory [PDF].

"But the fact that large volumes of data are traveling outbound from a customer environment to a vendor without the customer's knowledge or consent is problematic."

'Phoning home' is a common practice, where a host establishes a connection to a server to upload data.

We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors

According to ExtraHop, it is not illegal or risky for software tools to collect and transmit data to their makers as long as it is done in the right way, with customer's knowledge and the vendor is clear about what information is being transmitted.

However, in the four cases reported by ExtraHop, the company claims that the practice could have led to exposure of sensitive enterprise data.

For example, the security camera programme monitored by ExtraHop was sending data to an IP address based in China flagged for hosting malicious programmes.

Similarly, analytics software data transmission likely violated the US Gramm-Leach-Bliley Act, as well as GDPR, by sending personally-identifiable information to servers located in foreign countries.

Another programme, which was not purchased by a user and had already completed its trial period, was also found to be collecting information from the system for at least two months.

Two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors

"We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors," said Jeff Costlow, ExtraHop CISO.

"What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data. We're urging enterprises to establish better visibility of their networks and their vendors to make sure this kind of security malpractice doesn't go unchecked," he added.

All the four cases reported by ExtraHop were unearthed in 2018 and during the first weeks of 2019.

Data privacy has become a hot subject in recent years, with most countries currently working to implement (or already implemented) data protection regulations, like General Data Protection Regulation (GDPR).

Privacy watchdogs in various countries have imposed increasingly heavy fines on companies exposing sensitive user data to third-party vendors.

Last month, the US Federal Trade Commission approved a $5 billion settlement with Facebook over the sharing of data with political consultancy Cambridge Analytica.

Google also currently faces ICO investigation in the UK over GDPR violation claims, and could be fined four per cent of its $136.8 billion global annual turnover.