Leaky Databases Are a Scourge. MongoDB Is Doing Something About It

MongoDB, a database software provider whose stock has been on a tear recently, just hired its first-ever chief information security officer. The appointment, which came Friday, signals that the company plans to take security more seriously even as it faces stiffened competition from the likes of Amazon and other tech giants.

The new boss is Lena Smart, a Glaswegian cybersecurity professional. Smart formerly held the same title at IPO-bound Tradeweb, a financial services firm that supplies the technology behind certain electronic trading markets. Prior to Tradeweb, she headed security at the New York Power Authority, where she worked for more than a decade. A cellist in her spare time, Smart told me in her Scottish brogue that her priority in the new job will be “knowing what the crown jewels are—that’s our customer data—and making sure that’s always protected.”

People leaving MongoDB and other databases unsecured on the web has been a persistent source of data-leaks over the years. Just this month, a security researcher discovered one such sieve that exposed to public view a trove of sensitive information, including location data, on millions of people in China. The misconfigured repository appears to have originated from SenseNets, a Shenzhen-based company that is likely providing the Chinese government with crowd-surveilling, facial recognition technology to track the country’s muslim Uyghur population. This is just the latest leak example; there are innumerable others.

Despite the frequency of these leaks, the situation seems to be improving. Most of these inadvertent leaks have sprung, in fairness, from people using outdated instances of the company’s so-called community edition software, a free, barer-bones version of the database product. Mark Wheeler, a MongoDB spokesperson, conceded that the 12-year-old company “struggled in its early years to find the right balance with security.” But he avers that updates to the default settings of MongoDB’s software over the past few years, plus key security team hires—including guardians Davi Ottenheimer, Kenn White, and now Smart—are changing the equation.

As Smart’s scope involves securing the totality of MongoDB’s business, the data-spillage issue ultimately falls to her. She says she’ll continue educating customers in best practices when it comes to security. She says she will also aim to imbue the company’s product development process with security, quality assurance, and testing from the earliest stages. “If we can get in at the very start” of the software development lifecycle, Smart says, it will “save us time and money and make our products more reliable and secure.”

The leaky database issue is one that extends well beyond MongoDB. It’s also a problem for rivals such as Amazon, particularly its S3 buckets, Elastic, and others. Like so many companies, these database-makers are looking now to shore up their software in the hopes of turning a historical weakness—cybersecurity—into a competitive strength. As Dev Ittycheria, MongoDB’s president and CEO, tells Fortune: making the company’s products as secure as possible “is critical to our business.”

Indeed, it’s critical to MongoDB and, increasingly, every business.

A version of this article first appeared in Cyber Saturday, the weekend edition of Fortune’s tech newsletter Data Sheet. Sign up here.

Paul Rosen