An interesting story has run on exposed databases.
According to a story in Infosecurity Magazine, a US education non-profit, the Institute of International Education (IIE) has unwittingly leaked the personal information of thousands of students after leaving two online MongoDB databases exposed.
The database contained links with active access token to documents stored elsewhere. These links were to passport scans, application forms, visas, emails as well as other documents. If either database was accessed it could provide a treasure trove of sensitive information for use in follow-on fraud.
Managing students’ medical forms, passport scans, visa documents as well as other highly sensitive data, makes the Institute of International Education an attractive target for cyberattacks. While there is no evidence that the data has been misused, the temporary exposure still opened up a window for threat actors to access the vulnerable data in order to use it to commit identity theft or launch highly targeted phishing attacks toward the impacted students. Consequently, the nonprofit may face costly penalties for violating compliance regulations, such as CCPA, GDPR and even HIPAA.
Organisations must take the proper cloud security steps in 2020, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their databases, maintain compliance with regulations, and protect the sensitive data that they have been entrusted with.