It was announced today that a popular website MyCastingFile.com used to cast US talent in movies and television shows exposed the data of roughly 260,000 individuals online. Researchers discovered an open Elasticsearch server, hosted by Google Cloud, in the United States. The database was not secured via any form of authentication and in total, close to 10 million records were exposed.
US actor casting company leaked private data of over 260,000 individuals https://t.co/ie2Ogdd99Z
— ZDNET (@ZDNET) July 16, 2020
The reality is that properly maintaining cloud security is a complex and multi-tiered set of requirements – even the best practitioners will remain challenged to cover all the bases on a continuous basis. These issues most frequently revolve around a lack of visibility into faulty controls, not a lack of effort.
Perhaps the biggest hurdle, even greater than monitoring for risky configurations, as in this case, relates to better management of cloud data itself. We find that organizations are moving so fast to embrace cloud apps and infrastructure that they cannot maintain visibility into all the issues of data protection and access required to prevent subsequent breaches.
The unsecured database containing personal information for 260,000 MyCastingFile.com users puts them at risk of being victimized for fraud. Leaving their names, home addresses, phone numbers, email addresses and work histories exposed could allow cybercriminals to unlock accounts created with this information. Because the database lacked authentication, victims are at risk for identity theft, insurance fraud, and account takeover. Beyond security risks, the privacy of these individuals was violated as weight, ethnicity, hair color and other physical feature information was also found in the unsecured database.
Enterprises are responsible for keeping their user data secure and out of the wrong hands, and unsecure databases are a surefire way to lose user trust and an average of $3.92million per breach. Lack of protection for a database containing personal data is unacceptable in today’s security landscape. Implementing biometric authentication (leveraging a person’s unique human traits to confirm identity) is a secure way to ensure only authorized users can access databases with sensitive information.