It has been reported that Israeli marketing company Straffic has leaked personal sensitive data of millions of unsuspecting users mostly from the US and Europe. The leak took place due to a misconfigured Elasticsearch
It has been reported that Israeli marketing company Straffic has leaked personal sensitive data of millions of unsuspecting users mostly from the US and Europe. The leak took place due to a misconfigured Elasticsearch
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
PII (personal Identifiable information) stored on servers in the cloud or web facing should be protected, and for European data under GDPR must be protected. Since this server was clearly accessible via the web and there was no network perimeter security challenging potential hackers, the best way to secure this type of service is with a Zero Trust CASB.
Proxying all traffic to the server introduces a zero trust cloud which leads to contextually aware network access. All traffic to and from the server would also be scanned for DLP and malware stopping potentially dangerous vulnerabilities from being exploited until patched. File encryption could add another layer of security to all PII information. Techniques can also be used to search on the data by installing handles prior to encrypting the data.
When controlling and processing huge amounts of data like this firms have a huge responsibility to process it legitimately and securely. I’m sure there will be questions from the supervisory authorities of the home nations of the European persons represented in that list – did the firm really have the right to keep and process each one / any of those personal records? That in itself is a major breach of privacy law if not. i.e there are major GDPR fines at stake here.
Privacy aside the reports states that this firm did have access control of some kind protecting this database, however the researcher effectively found the keys to the lock in another location that was left open. This is a little like locking your car and then leaving the keys under the wheel arch, but instead of the car being at risk of being stolen, the privacy rights of millions of individuals were at risk, and were stolen.
A model of the design of the system with a threat model overlaid would have identified the key to the database as an asset, the lack of security controls around that key and identified the attacker and the attack vector.