Dear Customer, Reseller, or Partner,
As you may know, on September 21, 2017, some media outlets reported a data security incident concerning SVR Tracking. SVR immediately began an investigation, and we are writing to inform you of the status of our investigation.
On September 21, 2017, a cybersecurity research firm called Kromtech Security Center alerted SVR that an online database used by SVR to store backups of some customer-related data was misconfigured. As a result of the misconfiguration, Kromtech was able to access at least some of the information in the database. SVR immediately verified and repaired the misconfiguration to prohibit any further unauthorized access and began its own investigation. The database contained the following categories of information:
The database did not contain un-hashed passwords, because SVR never collects or stores a customer's un-hashed password. Contrary to some reports, the passwords were hashed using the SHA-256 Cryptographic Hash Algorithm, and not SHA-1. Nevertheless, out of an abundance of caution, on September 22, 2017, SVR required all customers to change their passwords. Kromtech subsequently provided its IP address to SVR, which SVR used to verify that Kromtech's IP address was the only unauthorized IP address that accessed the database before SVR repaired the configuration issue. Kromtech has also confirmed that it did not download or otherwise copy any customer information from the database and that it has otherwise securely destroyed all information pertaining to its access of the database. SVR is grateful for the service Kromtech performed in immediately notifying SVR of the database vulnerability and its cooperation in SVR's investigation.
SVR is reviewing its procedures concerning data security to ensure that such an incident does not occur again in the future. While perfect security is unfortunately impossible for anyone these days, SVR is making all reasonable efforts to ensure that personal information you share with us remains safe from unauthorized access that could pose a substantial risk of identity theft or other serious harm. Should you have any questions about this incident, please contact firstname.lastname@example.org.
Thank you for patience and understanding.
...Mark Wells, President & CEO
SVR Tracking Inc.