My Metal Business Card Data Breach Exposes Data of Thousands of Customers

People exchanging business cards

In December 2021, our VPNOverview security team discovered that My Metal Business Card (MMBC) possibly did not properly secure its cloud data. We discovered an open Amazon Web Services S3 Bucket containing information about their customers.

The California-based company is a leader in laser-engraved metal business cards. Its customers include several high-profile organizations such as Google, Tesla, Nike, and Wells Fargo.

Sensitive Customer Data Submitted to MMBC is Exposed

Unfortunately, according to our investigation, MMBC’s storage practices might have allowed customer information to leak online. Our team found the personal email addresses, cell phone numbers, and home addresses of hundreds of high-level executives. And we found the business information of thousands more individuals.

Names, addresses, emails, and phone numbers leaked

MMBC appears to have run some of its backend systems using an Amazon Web Services S3 bucket, which is common. But the S3 bucket was open to the internet, exposing MMBC’s internal files.

Personally Identifiable Information from a specific business in the My Metal Business Cards breach, blurred

Our security team found 18,770 invoices and 25,802 order proofs, spanning from 2020 to 2022. In total, over 240,000 files were stored insecurely. MMBC has not responded to us or resolved the issue.

We were able to find information about individuals’ private investments and memberships in exclusive clubs by analyzing these files.

Invoice from the My Metal Business Cards breach, blurred

Some of the companies affected include Cisco, IBM, Oracle, John Hancock, and Wells Fargo. We also found information belonging to people working in government agencies, such as the Department of Homeland Security, the Federal Aviation Agency, and the National Aeronautics and Space Administration (NASA).

Personally Identifiable Information from the My Metal Business Cards breach, blurred

We sent an email to MMBC to alert them about the exposed data three days after we discovered it. We sent many subsequent emails in the following months, but the company has not responded or repaired the breach.

Timeline

This is the timeline of events:

EventDate
Discovered the breach of customer data at My Metal Business CardDecember 5th, 2021
Sent an email to My Metal Business Card notifying them of the breachDecember 8th, 2021
Sent another email to My Metal Business CardDecember 17th, 2021
Sent another email to My Metal Business CardJanuary 13th, 2022
Sent an email to many additional addresses at My Metal Business CardMarch 15th, 2022
Sent a message on LinkedIn to 5 people at My Metal Business Card, 3 of them saw the message including the Founder and the Director of OperationsJuly 11th, 2022
Sent a follow-up message on LinkedIn, 2 of them saw the message, including the Director of OperationsAugust 9th, 2022

Aaron Phillips, the cybersecurity professional who discovered this breach, commented, “I don’t understand why My Metal Business Card ignored our attempts to bring this to their attention. We’ve never seen a company refuse to acknowledge a breach of their backend systems for this long.”

Cybercrime Attacks Targeting Executive Management

While any data leak involving phone numbers, email addresses, other PII, etc., is a matter of concern, the MMBC leak could cause serious problems for the affected companies.

C-level executives and executive management have access to sensitive information. That makes them a lucrative target for cybercriminals. Since most cyberattacks against high-profile companies are financially motivated, malicious actors target people and accounts that hold key information.

In fact, a study from SecurityAdvisor found executives face 50 times the number of phishing attacks compared to an average employee.

In 2020, 84% of C-level executives said they were the targets of at least one cyberattack in the previous year. Phishing attacks make up over half of these incidents, and most IT leaders agree that this is the most prominent attack C-level executives face.

  • 84% of C-level executives say they had been targeted by at least one cyberattack in the past year, with phishing attacks again being the most common (54%).
  • 78% of IT leaders say the C-Suite is the most likely to be targeted by phishing attacks.
  • 76% of CEOs admit to bypassing security protocols to get something done faster, sacrificing security for speed.

There is also a significant rise in CEO fraud, where attackers impersonate executives to dupe other employees into making wire transfers, sign documents, or hand over sensitive information.

Nine Months Later and Still No Fix

According to the evidence and facts we have, VPNOverview.com is publishing this article with no fix currently in place. The risk to customers is still highly possible. We took every precaution to keep the details of this breach private. But customers of My Metal Business Card need to be aware that any information they provide to the company could become publicly available.

When asked for his opinion of the breach, Aaron said, “I’m at a loss for words. I’ve had a long career in IT before I started working in cybersecurity. I’m struggling to remember any company I’ve ever worked with that would let a data breach persist for this long. Maybe they have a good excuse, but they sure didn’t share it with us. 9 months later and still no fix. It’s disappointing.”

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.