Vocus has launched an audit of the physical security of one of its New Zealand data centres after a viral video showed the foyer could be accessed by simply pushing two doors open.
The video, by Twitter user Liam Farr, showed Vocus’ 7A data centre in the Auckland suburb of Albany.
How to break into a datacenter... pic.twitter.com/Q84JyljT2V
— Liam Farr (@nz_liam) December 1, 2018
Farr found the outside gate - which has intercom and swipe card access - unlocked.
He then progressed to the facility door, again with intercom and swipe card access, but showed that lock was broken.
That led into a small foyer with a choice of a door with a fingerprint reader and magnetic lock leading into the technical floor space, or stairs to reception.
The video, which was posted on Saturday morning, had received 37,500 views by Monday night, and forced Vocus NZ to use its Twitter account for the first time in a year-and-a-half.
“We fixed the front door which leads to a visitor lobby, but rest assured the DC was NOT insecure,” the company said late Saturday.
“The facility has 2FA card and biometric security, secure mantrap areas, 24/7 surveillance and has NOT been accessed by any unauthorised persons.”
Farr - who is a Vocus customer but has gear in another part of the Albany site - said that the front lock on 7A had been busted “on and off” for the past six months, and he’d had trouble rousing someone to fix it, hence the social media post.
He raised concerns that physical security standards at the site were slipping, and that the site’s protections - such as the swipe cards and the magnetic lock installation - were vulnerable to bypass.
In a statement to iTnews, Vocus NZ said that the video showed a customer “walking through an old security gate that hasn’t been in operation for many years and is no longer part of the data centre security system.”
“The customer was then able to reach the foyer without using his access card due to a faulty lock on the front door of the facility. This was fixed Saturday evening,” the spokesperson said.
“While being able to access the foyer of the facility was a failure, it’s extremely important to note that the facility has 2FA card and biometric security, secure mantrap areas, 24/7 surveillance and at no time was the data centre accessible to unauthorised persons.
“The filming was undertaken in the lobby area, outside of the external mantrap door. There are two doors in the mantrap configuration with swipe, PIN and biometrics between that lobby and the data floor.
“The magnetic lock is on the outside of the mantrap, not to the data floor. There are staff onsite during the day in that area, and after hours there is remote monitoring and regular security patrols.”
Still, Vocus said it would be “conducting an audit into the failure of the front door and contractors who undertook the work”.
“The security of our premises is paramount to our business, and we are taking this very seriously,” the spokesperson said.
iTnews reached Farr but he did not want to comment beyond what was already in the public domain.
Vocus committed to discuss Farr’s physical security concerns directly and iTnews understands that contact has been initiated.
