198 Million Car-Buyer Records Exposed – Experts Comments

It has been reported that over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimised, targeted websites.

According to the researcher, the websites all provide car-buying research information and classified ads for visitors. They collect this info and send it on to franchise and independent car dealerships to be used as sales leads. The exposed database in total contained 413GB of data. The information included records with names, email addresses, phone numbers, physical addresses, IP addresses and other sensitive or identifiable information exposed to the public internet in plain text.

Experts Comments

September 16, 2019
Hugo van Den Toorn
Manager, Offensive Security
Outpost24
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password. With the countless possibilities of ‘quickly deploying a system in the.....Read More
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sized, the data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately not everyone protects is like the valuable asset it is.  Read Less
September 13, 2019
Lisa Baergen
VP of Marketing
NuData Security
Data in the wrong hands – especially personal information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial.....Read More
Data in the wrong hands – especially personal information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach. In addition, the exposed information in this database includes personally identifiable information such as name, last name, address, phone number – which can be used for identity theft. Passive biometrics and behavioral analytics, can help prevent the online use of this information, whether it is utilized for account takeover or for the creation of new accounts under the stolen identity. This technology helps verify people and detect unusual online patterns based on the user’s behavior. It also acts as a post-breach control, allowing online companies to block fraudulent transactions even if the cybercriminal has the right password or other credentials.  Read Less
September 12, 2019
Oscar Tovar
Application Security Specialist
WhiteHat Security
Data leaks are something that should definitely be taken seriously. Not only do they damage a brand's reputation, but they also hurt the privacy of their clients. The biggest lesson that can be taken away is that all personal information should be treated with the highest of concern. There should not be any circumstance where private information storage is exposed publicly. There is not any margin for error when it comes to this, since once a leak happens there is no going back. Following.....Read More
Data leaks are something that should definitely be taken seriously. Not only do they damage a brand's reputation, but they also hurt the privacy of their clients. The biggest lesson that can be taken away is that all personal information should be treated with the highest of concern. There should not be any circumstance where private information storage is exposed publicly. There is not any margin for error when it comes to this, since once a leak happens there is no going back. Following best practices such as network segmentation and the 'least privilege' model help prevent these kinds of leaks from occurring. Network segmentation is highly important as it prevents high exposure of internal infrastructure. Furthermore, giving only users the least amount of necessary privileges to data access lessens the probability of a data leak. Surprisingly, these heavily recommended practices are not followed commonly. A simple search on shodan.io will show a plethora of S3 buckets, and Database API Endpoints that are publicly accessible without any security restraints. This leak should serve as a reminder that network attached infrastructure should constantly be audited for best practices and recommended security configurations.  Read Less
September 12, 2019
Anurag Kahol
CTO
Bitglass
There are tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases – meaning it doesn't take much effort for outsiders to find unsecured databases. That is one of the reasons why abusing misconfigurations has grown in popularity as an attack vector across all industries, along with the continued carelessness of companies when it comes to cybersecurity. Vulnerabilities such as these can pose major threats to data security, data subject wellbeing,.....Read More
There are tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases – meaning it doesn't take much effort for outsiders to find unsecured databases. That is one of the reasons why abusing misconfigurations has grown in popularity as an attack vector across all industries, along with the continued carelessness of companies when it comes to cybersecurity. Vulnerabilities such as these can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. There is no excuse for negligent security practices such as leaving databases exposed. As such, all companies, even those with limited IT resources, must take full responsibility for securing user data and should turn to flexible, cost-effective solutions that can prevent data leakage. For example, cloud access security brokers that boast features like cloud security posture management, data loss prevention, user and entity behaviour analytics, and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.  Read Less
September 12, 2019
Javvad Malik
Security Awareness Advocate
KnowBe4
Not a week goes by without more companies exposing cloud-based data publicly. While on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have. Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data, and with modern websites and apps, it is easy for companies to harvest more and more data from consumers than ever before. But just .....Read More
Not a week goes by without more companies exposing cloud-based data publicly. While on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have. Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data, and with modern websites and apps, it is easy for companies to harvest more and more data from consumers than ever before. But just because it is possible to collect data on individuals, it doesn't mean that it should. In fact, businesses should treat customer data in the same way as radioactive material should be treated - with great caution, using effective protection and only the amounts that are absolutely necessary.  Read Less
September 12, 2019
Israel Barak
Chief Information Security Officer
Cybereason
The Dealer Leads breach is yet another reminder that this type of data exposure is far too commonplace, and a significant number of hacks this year have been a result of unsecured hosting. Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors. This breach once again highlights the advantage adversaries have against defenders. The vast attack surface is extremely difficult to defend, and.....Read More
The Dealer Leads breach is yet another reminder that this type of data exposure is far too commonplace, and a significant number of hacks this year have been a result of unsecured hosting. Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors. This breach once again highlights the advantage adversaries have against defenders. The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn't take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders. This is yet another wake-up call to corporations, third party vendors and all defenders to improve their security hygiene, update security patches and provide security awareness training.  Read Less
September 12, 2019
Robert Ramsden Board
VP EMEA
Securonix
Cloud storage misconfigurations exposing sensitive information online is becoming increasingly common demonstrating how some organisations are not taking security seriously enough. Those that choose to use cloud-based databases need to practice basic cyber hygiene when configuring and securing these systems. Data protection and privacy are paramount in today’s security landscape, and businesses that do not implement appropriate safeguards risk falling foul of the law and losing customer.....Read More
Cloud storage misconfigurations exposing sensitive information online is becoming increasingly common demonstrating how some organisations are not taking security seriously enough. Those that choose to use cloud-based databases need to practice basic cyber hygiene when configuring and securing these systems. Data protection and privacy are paramount in today’s security landscape, and businesses that do not implement appropriate safeguards risk falling foul of the law and losing customer trust.  Read Less
September 12, 2019
Warren Poschman
Senior Solutions Architect
comforte AG
With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data. This starts with following best .....Read More
With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and de-identify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts