Experts Insight On Israeli Firm Leaks Addresses Of Millions Of Americans & Europeans

By   ISBuzz Team
Writer , Information Security Buzz | Mar 02, 2020 03:10 am PST

It has been reported that Israeli marketing company Straffic has leaked personal sensitive data of millions of unsuspecting users mostly from the US and Europe. The leak took place due to a misconfigured Elasticsearch database. Unlike other data breaches involving search engine software Elasticsearch, where databases are accessible without a password due to misconfiguration, the database was protected in this case. However, the password to access the database was in a plaintext file exposed to the public on another domain. Originally, the database was identified by a security researcher “@0m3n” who gained access to 140 GB worth of records. This included 49 million unique e-mail addresses, names, gender, telephone numbers and addresses of Americans and Europeans.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Raif Mehmet
Raif Mehmet , Sales Director
March 2, 2020 11:22 am

PII (personal Identifiable information) stored on servers in the cloud or web facing should be protected, and for European data under GDPR must be protected. Since this server was clearly accessible via the web and there was no network perimeter security challenging potential hackers, the best way to secure this type of service is with a Zero Trust CASB.

Proxying all traffic to the server introduces a zero trust cloud which leads to contextually aware network access. All traffic to and from the server would also be scanned for DLP and malware stopping potentially dangerous vulnerabilities from being exploited until patched. File encryption could add another layer of security to all PII information. Techniques can also be used to search on the data by installing handles prior to encrypting the data.

Last edited 4 years ago by Raif Mehmet
Adam Brown
Adam Brown , Manager of Security Solutions
March 2, 2020 11:14 am

When controlling and processing huge amounts of data like this firms have a huge responsibility to process it legitimately and securely. I’m sure there will be questions from the supervisory authorities of the home nations of the European persons represented in that list – did the firm really have the right to keep and process each one / any of those personal records? That in itself is a major breach of privacy law if not. i.e there are major GDPR fines at stake here.

Privacy aside the reports states that this firm did have access control of some kind protecting this database, however the researcher effectively found the keys to the lock in another location that was left open. This is a little like locking your car and then leaving the keys under the wheel arch, but instead of the car being at risk of being stolen, the privacy rights of millions of individuals were at risk, and were stolen.

A model of the design of the system with a threat model overlaid would have identified the key to the database as an asset, the lack of security controls around that key and identified the attacker and the attack vector.

Last edited 4 years ago by Adam Brown

Recent Posts

Would love your thoughts, please comment.x