We hired an outside company to perform a vulnerability test on one of our sites. Within a few hours, we had problems. Entire tables wiped clean. Entire tables deleted. Hundreds of records in other tables gone. Some table data had been modified. This is all in a db running a LIVE, production site.
We have used the company in previous years with no issues. Obviously, the site has massive security holes. But, aside from that, my question/concern is this:
- How common is this? I get that no pentester can guarantee they won't jack something up, but I haven't heard of an automated scan actually deleting/modifying data in the database.
- Should I be concerned that the automated software used could actually be malicious (ironically)?
I'm just looking for a little guidance/thoughts/other's experiences on the situation.