Expert commentary: Razer Gaming Fans Caught Up in Data Leak From misconfigured Elasticsearch

A cloud misconfiguration at the gaming-gear merchant potentially exposed 100,000 customers to phishing and fraud. Security consultant Bob Diachenko ran across a misconfigured Elasticsearch cloud cluster that exposed a segment of Razer’s infrastructure to the public internet, for anyone to see.

Source: https://threatpost.com/razer-gaming-fans-data-leak/159147/

Experts Comments

September 14, 2020
Trevor Morgan
Product Manager
comforte AG
Managing and securing customer data is no game – the breach at Razer is another testament that privacy requires organizations to take data security seriously and move beyond reinforcing perimeter and access controls. This is not to say that they need to neglect perimeter security. However, no matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands—either through intentional intrusion and.....Read More
Managing and securing customer data is no game – the breach at Razer is another testament that privacy requires organizations to take data security seriously and move beyond reinforcing perimeter and access controls. This is not to say that they need to neglect perimeter security. However, no matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands—either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight. Data-centric security addresses the need for security to travel with the data it protects (rather than merely securing the boundaries around that data). Standard encryption-based security is one way to do this, but encryption methods come with sometimes-complicated administrative overhead to manage keys. Also, many encryption algorithms can be easily cracked. Tokenization, on the other hand, is a data-centric security method that replaces sensitive information with innocuous representational tokens. This means that, even if the data falls into the wrong hands, no clear meaning can be derived from the tokens. Sensitive information remains protected, resulting in the inability of threat actors to monopolise on the breach and data theft. Had this highly sensitive personal data been tokenized in the Razer environment, none of it would have had the potential to compromise individual users. This type of preventative helps keep organisations within compliance regulations and helps to avoid other liability-based repercussions.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.