108M Records Exposed via Misconfigured ElasticSearch Server

By   ISBuzz Team
Writer , Information Security Buzz | Jan 22, 2019 03:30 am PST

ZDNet reported that a password-less ElasticSearch server belonging to a variety of online casinos has compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more. The payment card details indexed in the server were partially redacted however, meaning that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline today and is not accessible anymore.

Experts Comments Below:

Mark Weiner, CMO at Balbix:

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks such as the VOIPo and Oklahoma Securities Commission’s latest incidents. 108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.

Organizations must understand that proper, organization-wide cybersecurity is no longer a human-scale task, and it is mathematically impossible for people alone to constantly monitor and assess all IT assets and infrastructure to stay ahead of 200+ attack vectors for potential vulnerabilities. Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.”

Rich Campagna, CMO at Bitglass:

“This breach is yet another example of a company that exposed massive amounts of consumer data due to a simple security mistake. Leaving a server publicly accessible is unacceptable – even smaller companies with limited IT resources must ensure that they are properly securing data. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.

Companies that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive – not to mention the cost of losing the trust of their customers. In fact, Google was just fined $57 million by CNIL, the French data protection watchdog, for failing to comply with GDPR’s transparency and consent laws.”

Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:

“Merry belated Christmas, millennials. By the way, your data was exposed… Of the 4 million intern applications unprotected, a company rep claims only 40 of the records were actually exposed.

No matter what the count is, it just goes to continue prove a major point… companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organizations need to do more. Even just following the basics sometimes, would help. Even though this company is a Non-profit organization, GDPR fines may still apply.  If “Taylor Smith” was tokenized and protected as “FSLIDB ZPMDQ” we wouldn’t be having this issue.”

Carl Wright, CCO at AttackIQ:

“Lately we have seen a proliferation of protection failures resulting in massive data leakages. Almost all of these instances would have been preventable if the affected organizations understood that their security stack was misconfigured.  It is time that enterprises test their respective security posture proactively rather than waiting for cyber attackers to thwart any existing, or lack of, cyber defense.  There is no excuse for deploying security controls that are not properly configured, therefore resulting in protection failures.”

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x