ZDNet reported that a password-less ElasticSearch server belonging to a variety of online casinos has compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more. The payment card details indexed in the server were partially redacted however, meaning that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline today and is not accessible anymore.
FitMetrix user data exposed via passwordless ElasticSearch server cluster https://t.co/rR9BierfWU by @campuscodi
— ZDNET (@ZDNET) October 11, 2018
AIESEC has relased its statement on the potential security incident on AIESEC platform: https://t.co/XXljxu7OzH
— AIESEC (@AIESEC) January 21, 2019
Experts Comments Below:
Mark Weiner, CMO at Balbix:
Organizations must understand that proper, organization-wide cybersecurity is no longer a human-scale task, and it is mathematically impossible for people alone to constantly monitor and assess all IT assets and infrastructure to stay ahead of 200+ attack vectors for potential vulnerabilities. Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.”
Rich Campagna, CMO at Bitglass:
Companies that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive – not to mention the cost of losing the trust of their customers. In fact, Google was just fined $57 million by CNIL, the French data protection watchdog, for failing to comply with GDPR’s transparency and consent laws.”
Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:
No matter what the count is, it just goes to continue prove a major point… companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organizations need to do more. Even just following the basics sometimes, would help. Even though this company is a Non-profit organization, GDPR fines may still apply. If “Taylor Smith” was tokenized and protected as “FSLIDB ZPMDQ” we wouldn’t be having this issue.”
Carl Wright, CCO at AttackIQ:
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.