It has been reported that over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimised, targeted websites.
According to the researcher, the websites all provide car-buying research information and classified ads for visitors. They collect this info and send it on to franchise and independent car dealerships to be used as sales leads. The exposed database in total contained 413GB of data. The information included records with names, email addresses, phone numbers, physical addresses, IP addresses and other sensitive or identifiable information exposed to the public internet in plain text.
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password.
With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sized, the data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately not everyone protects is like the valuable asset it is.
Data in the wrong hands – especially personal information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach. In addition, the exposed information in this database includes personally identifiable information such as name, last name, address, phone number – which can be used for identity theft. Passive biometrics and behavioral analytics, can help prevent the online use of this information, whether it is utilized for account takeover or for the creation of new accounts under the stolen identity. This technology helps verify people and detect unusual online patterns based on the user’s behavior. It also acts as a post-breach control, allowing online companies to block fraudulent transactions even if the cybercriminal has the right password or other credentials.
Data leaks are something that should definitely be taken seriously. Not only do they damage a brand\’s reputation, but they also hurt the privacy of their clients. The biggest lesson that can be taken away is that all personal information should be treated with the highest of concern. There should not be any circumstance where private information storage is exposed publicly. There is not any margin for error when it comes to this, since once a leak happens there is no going back.
Following best practices such as network segmentation and the \’least privilege\’ model help prevent these kinds of leaks from occurring. Network segmentation is highly important as it prevents high exposure of internal infrastructure. Furthermore, giving only users the least amount of necessary privileges to data access lessens the probability of a data leak.
Surprisingly, these heavily recommended practices are not followed commonly. A simple search on shodan.io will show a plethora of S3 buckets, and Database API Endpoints that are publicly accessible without any security restraints. This leak should serve as a reminder that network attached infrastructure should constantly be audited for best practices and recommended security configurations.
There are tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases – meaning it doesn\’t take much effort for outsiders to find unsecured databases. That is one of the reasons why abusing misconfigurations has grown in popularity as an attack vector across all industries, along with the continued carelessness of companies when it comes to cybersecurity.
Vulnerabilities such as these can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. There is no excuse for negligent security practices such as leaving databases exposed. As such, all companies, even those with limited IT resources, must take full responsibility for securing user data and should turn to flexible, cost-effective solutions that can prevent data leakage. For example, cloud access security brokers that boast features like cloud security posture management, data loss prevention, user and entity behaviour analytics, and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.
Not a week goes by without more companies exposing cloud-based data publicly. While on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have.
Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data, and with modern websites and apps, it is easy for companies to harvest more and more data from consumers than ever before. But just because it is possible to collect data on individuals, it doesn\’t mean that it should.
In fact, businesses should treat customer data in the same way as radioactive material should be treated – with great caution, using effective protection and only the amounts that are absolutely necessary.