News broke that Gearbest, a Chinese online shopping giant, exposed 1.5 million records on an Elasticsearch server that was not protected with a password, allowing anyone to search the database. The exposed information includes names, addresses, phone numbers, email addresses, customer orders, products purchased, and in some cases, passport numbers and other national ID data. Gearbest ranks as one of the top 250 global websites, and serves top brands, including Asus, Huawei, Intel and Lenovo.
The researcher that discovered the exposed Elasticsearch server also found a separate exposed web-based database management system on the same IP address, allowing anyone to manipulate or disrupt the databases run by Gearbest’s parent company, Globalegrow. Gearbest has a large presence in Europe, with warehouses in Spain, Poland, and Czech Republic, and the U.K., where EU data protection and privacy laws apply. This is the second security issue at Gearbest in as many years. In December 2017, the company confirmed accounts had been breached after what was described as a credential stuffing attack.
Expert Comments Below:
Brian Johnson, CEO and Co-founder at DivvyCloud:
“Gearbest’s data leak of over 1.5 million customer records adds to a growing list of organizations that have suffered security lapses in 2019 due to misconfigured Elasticsearch servers. However, Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more.
Organizations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls. Automated cloud security solutions would have been able to detect the misconfiguration in the Elasticsearch database and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time. These solutions are essential to enforcing security policies and maintaining compliance across large-scale hybrid cloud infrastructure.”
Stephan Chenette, CTO and Co-founder at AttackIQ:
“This breach could have been easily prevented if Gearbest had put in place basic password protection to this database, and applied the learnings from a similar breach just over a year ago to improve their security practices and policies. All too often, companies suffer similar breaches because they don’t fully understand the cause of the previous breach, and how to recover. Organizations that have systems in place to proactively test the efficacy of their security controls are not only better protected, but can improve over time as they find and remediate gaps in their security program.”
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
“The hacking of yet another huge trove of personally identifiable information reminds us of the responsibility that organizations that hold such data have and the resulting low security value of this data as a result of these breaches. Like so many previous hacks, this data will quickly make its way to the dark web where it will be used for identity theft, synthetic identity creation and robotic account takeovers. Now, more than ever, organizations must use modern behavioral analytics, Know Your Customer and identity proofing tools during account originations and during email and password reset to fight against these well-armed fraudsters.
Anurag Kahol, CTO at Bitglass:
“It’s concerning when it takes an organization months, or even years, to recognize that a misconfigured server has enabled a breach or a leak. As a global e-commerce provider that ships to over 250 countries and territories, ranks in the top 100 websites in almost 30 percent of said regions, and has subdomains in 18 different languages, Gearbest must adopt a flexible security platform that proactively detects and responds to new threats as they arise. Allowing a server to remain misconfigured for a prolonged period of time increases the odds that a malicious actor can find it and exploit the information therein for their own nefarious purposes.
Throughout 2018 and 2019, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage. For example, leading cloud access security brokers (CASBs) provide cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA), and other capabilities that can give an organization confidence that its data is truly safe.”
Tim Mackey, Senior Technical Evangelist at Synopsys:
“Today, organisations simply cannot afford to neglect the security of their applications, especially in industries like retail and banking where processing and storing payment card and financial data is standard operations. In the latest mega-breach uncovered by VPNMentor, Gearbest has demonstrated that even the most obvious cyber-attack targets can fail to maintain basic security hygiene.
In this instance, the entire database for Gearbest’s global operations, and those of its sister companies, were left completely unsecured. This means that not only is personal information available to attackers, but also critical information like order history and payment details are readily available. Armed with this information, it’s possible to create a targeted profile of any users which includes personal preferences. While Gearbest has privacy statements indicating they don’t collect certain PII and what PII they do collect is secured, what VPNMentor uncovered shows a clear disconnect between the policy and its implementation.
This incident has clear lessons for anyone operating a website which collects or processes personal information:
- Follow OWASP guidelines and ensure all systems are properly secured
- Review privacy regulations not only for your jurisdiction, but also where your customers and users reside
- Do not collect or retain any information which doesn’t serve a clear purpose for your customers and users
- Ensure that any system which shouldn’t be accessible from the Internet can’t be
- Implement a security and incident response process which is responsive to issues the ethical hacking community uncovers”
Stephen Gailey, Head of Solutions Architecture at Exabeam:
“Gearbest’s woes highlight a fundamental truth about information security – it doesn’t matter how good your technology is, in the end it will be let down by poor operational practices. Admittedly some technologies make it harder than others to get things right, but the reality is that operational teams either don’t understand security best practice or are given too little time and resource to follow them. What happened at Gearbest in terms of poor operational controls is happening across the world today and the next company to be in the news is probably being breached as we speak.”
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“The most shocking thing about this is the complete mistruth that was told to customers of Gearbest. Data at rest encryption was the promise and it doesn’t appear to have been the case at all. While breaches can be seen as almost unavoidable these days, encryption of the data stolen should be a given, especially given the sensitivity of the data Gearbest stored. Worryingly it’s not just the usual names, addresses, passwords and emails; the data includes passport details and national IDs. Gearbest don’t appear to have shown any care in segregating information, that while it’s all personal, it’s not equal.
“The data was linked so easily together that a complete profile of someone could be built that exposes the individual to identity fraud. There are many other risks that could now befall the individual customer and trying to fix this problem by invalidating their data by requesting new passports and national IDs is not only difficult, it’s sometimes impossible. Gearbest’s customers may have to accept that they’re forever exposed to additional risk thanks to the mismanagement of their data.
“It appears that Gearbest failed on two counts of poor configuration. First, they failed to protect a ‘big data’ elastic search setup and secondly, they failed to encrypt any of that data. Both of these are configuration and best practice problems and frankly there’s little excuse for not implementing them correctly. Ultimately if you can’t trust a company to get the basics right, definitely don’t trust them to keep you and your data safe.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.