The investigative journalists at Gamers Nexus uncovered a serious and troubling data leak at Zotac, a company already in FTC crosshairs for its warranty practices. Tipped off by a viewer, the team learned that documents related to Return Material Authorization (RMA) requests were publicly available on the web and had even been indexed by Google. These documents contained full names, telephone numbers, email and mailing addresses, and more.
The viewer discovered this leak when doing his own due diligence to see what information came up when he Googled his name. Surprisingly, he discovered a document he had uploaded to Zotac as part of an RMA return. He promptly notified both Zotac and Gamers Nexus.
While Zotac immediately removed access to that individual’s attachment, Gamers Nexus quickly discovered how widespread and serious the leak was. It discovered RMA attachments from consumers, including emails and spreadsheets containing those people’s personal information.
Other documents included corporate invoices to businesses like Micro Center, iBuyPower, and others. In at least one case, a document contained what was either an Employer Identification Number or Social Security Number. Gamers Nexus swiftly emailed Zotac of their findings as well as several of the business-to-business customers involved.
While Gamers Nexus did not immediately identify Zotac to the public, they did post a message to X (formerly known as Twitter) on July 5 to timestamp how long it took the company to begin addressing the issue. The good news is that it didn’t take long.
With the help of a viewer, we have discovered a major breach of privacy at a hardware vendor whereupon GN was able to download customer personal information, addresses, phone numbers, and also business-to-business invoices & orders. The company has not replied to GN. We have 1/3July 5, 2024
As of this writing, searching for “RMA Zotac” does still list hundreds of PDF and Excel documents submitted to Zotac’s RMA and warranty web page. However, the links now lead to dead links, likely because Zotac corrected the misconfigured file permissions for that directory.
Zotac also temporarily removed the “upload attachment” button from its RMA form. Until the company’s web developers can properly fix the issue, Zotac will be asking customers to email their documentation instead of using the online portal.
Some information can still be gleaned from Google’s cache, though, which is problematic. Since Zotac has not taken measures yet to deindex that directory with Google, the search engine results pages still list bits and pieces of information. We were able to find several customers’ mailing addresses this way.
If you have ever filed an RMA with Zotac, you should Google search your own name along with Zotac’s and perhaps RMA. If you find anything containing your information, click the three dots in the top right of the result to request Google remove the page from its search results.