Global internet numbering and naming authority ICANN has issued regret over a two-year leak of private financial and technical documents attached to applications from generic top-level domain (gTLD) registrants.
ICANN's admission came after it published the findings of a third-party audit of log files for the 'new gTLD applicant' and 'global domains divisions' portals.
In the first instance, the consulting firm hired by ICANN for the audit went back as far as April 17 2013. For the global domains division, the firm went back to March 17 last year.
The auditors found that 19 users were able to use the advanced search function to glean confidential information on 96 gTLD applicants and 21 registry operators. A total of 330 search result records were viewed by the 19, whom ICANN did not name.
At least some of the information leaked would belong to large global brands who were required to submit financial records to ICANN as part of their gTLD registrations.
ICANN chief information officer Ashin Rangan said his organisation 'deeply regretted the incident' and pledged to harden its digital services.
A misconfiguration of the public/private data sharing setting in the Salesforce.com application used by ICANN enabled access to the confidential information, Rangan told industry website Domain Incite.
ICANN said it had written to the users who accessed the information without authorisation and asked them to explain why they did.
The organisation has also asked the users to confirm they will delete or destroy the data, and that they have not or will not use it, or convey the information to third parties.
Victims of the data breach will be informed by ICANN late next month who their confidential information was viewed by.