ZOTAC Security Breach Exposes Customer Data in Google Search

In a recent revelation, hardware manufacturer ZOTAC faced a significant security lapse that compromised sensitive customer information. Due to inadequate security policies within its after-sales system, critical data related to returns and exchanges became accessible to Google crawlers, resulting in this sensitive information appearing in Google search results.

The compromised data includes customers’ names, phone numbers, email addresses, and shipping addresses—highly sensitive details that should have been safeguarded. The duration of this exposure is yet to be determined, raising concerns about the potential misuse of this information.

The issue was first identified by the tech website Gamers Nexus. An editor discovered the breach when a simple Google search for their name revealed a previously submitted after-sales request form to ZOTAC, which could be readily accessed and downloaded.

According to ZOTAC’s after-sales process, customers are required to fill out their real information in a form and upload it to ZOTAC’s service system. This process inadvertently became the initial source of the data leak. Typically, such files should be protected by stringent access controls, ensuring only after-sales team members can view them. However, due to deficiencies in ZOTAC’s server security policies, these files were left publicly accessible and downloadable.

The implications of this security lapse extend beyond individual customers. Gamers Nexus also discovered receipts from other companies, such as Micro Center and iBuyPower, among the exposed data. These receipts contain sensitive information and highlight the broader impact of ZOTAC’s security oversight.

Upon discovering the breach, Gamers Nexus promptly sent security reports to ZOTAC and the other affected companies. While Google still indexes some of ZOTAC’s after-sales-related files, permissions have since been modified to prevent direct access.

To prevent further data exposure, ZOTAC has revised its after-sales service process. The upload button, which previously required customers to submit electronic forms, has been removed. Customers are now instructed to send these forms via email, thereby reducing the risk of data exposure on the Internet.

ZOTAC has yet to issue a detailed statement on this security incident, leaving many questions unanswered. The total number of exposed files remains unknown, but given the high frequency of after-sales requests, it is likely that tens of thousands of files could be at risk.