Experts Insight On Israeli Firm Leaks Addresses Of Millions Of Americans & Europeans

It has been reported that Israeli marketing company Straffic has leaked personal sensitive data of millions of unsuspecting users mostly from the US and Europe. The leak took place due to a misconfigured Elasticsearch database. Unlike other data breaches involving search engine software Elasticsearch, where databases are accessible without a password due to misconfiguration, the database was protected in this case. However, the password to access the database was in a plaintext file exposed to the public on another domain. Originally, the database was identified by a security researcher “@0m3n” who gained access to 140 GB worth of records. This included 49 million unique e-mail addresses, names, gender, telephone numbers and addresses of Americans and Europeans.

Experts Comments

March 02, 2020
Raif Mehmet
Sales Director
Bitglass
PII (personal Identifiable information) stored on servers in the cloud or web facing should be protected, and for European data under GDPR must be protected. Since this server was clearly accessible via the web and there was no network perimeter security challenging potential hackers, the best way to secure this type of service is with a Zero Trust CASB. Proxying all traffic to the server introduces a zero trust cloud which leads to contextually aware network access. All traffic to and from .....Read More
PII (personal Identifiable information) stored on servers in the cloud or web facing should be protected, and for European data under GDPR must be protected. Since this server was clearly accessible via the web and there was no network perimeter security challenging potential hackers, the best way to secure this type of service is with a Zero Trust CASB. Proxying all traffic to the server introduces a zero trust cloud which leads to contextually aware network access. All traffic to and from the server would also be scanned for DLP and malware stopping potentially dangerous vulnerabilities from being exploited until patched. File encryption could add another layer of security to all PII information. Techniques can also be used to search on the data by installing handles prior to encrypting the data.  Read Less
March 02, 2020
Adam Brown
Manager of Security Solutions
Synopsys
When controlling and processing huge amounts of data like this firms have a huge responsibility to process it legitimately and securely. I’m sure there will be questions from the supervisory authorities of the home nations of the European persons represented in that list – did the firm really have the right to keep and process each one / any of those personal records? That in itself is a major breach of privacy law if not. i.e there are major GDPR fines at stake here. Privacy aside the.....Read More
When controlling and processing huge amounts of data like this firms have a huge responsibility to process it legitimately and securely. I’m sure there will be questions from the supervisory authorities of the home nations of the European persons represented in that list – did the firm really have the right to keep and process each one / any of those personal records? That in itself is a major breach of privacy law if not. i.e there are major GDPR fines at stake here. Privacy aside the reports states that this firm did have access control of some kind protecting this database, however the researcher effectively found the keys to the lock in another location that was left open. This is a little like locking your car and then leaving the keys under the wheel arch, but instead of the car being at risk of being stolen, the privacy rights of millions of individuals were at risk, and were stolen. A model of the design of the system with a threat model overlaid would have identified the key to the database as an asset, the lack of security controls around that key and identified the attacker and the attack vector.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.