News broke that Gearbest, a Chinese online shopping giant, exposed 1.5 million records on an Elasticsearch server that was not protected with a password, allowing anyone to search the database. The exposed information includes names, addresses, phone numbers, email addresses, customer orders, products purchased, and in some cases, passport numbers and other national ID data. Gearbest ranks as one of the top 250 global websites, and serves top brands, including Asus, Huawei, Intel and Lenovo.
The researcher that discovered the exposed Elasticsearch server also found a separate exposed web-based database management system on the same IP address, allowing anyone to manipulate or disrupt the databases run by Gearbest’s parent company, Globalegrow. Gearbest has a large presence in Europe, with warehouses in Spain, Poland, and Czech Republic, and the U.K., where EU data protection and privacy laws apply. This is the second security issue at Gearbest in as many years. In December 2017, the company confirmed accounts had been breached after what was described as a credential stuffing attack.
Expert Comments Below:
Brian Johnson, CEO and Co-founder at DivvyCloud:
“Gearbest’s data leak of over 1.5 million customer records adds to a growing list of organizations that have suffered security lapses in 2019 due to misconfigured Elasticsearch servers. However, Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more.
Organizations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls. Automated cloud security solutions would have been able to detect the misconfiguration in the Elasticsearch database and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time. These solutions are essential to enforcing security policies and maintaining compliance across large-scale hybrid cloud infrastructure.”
Stephan Chenette, CTO and Co-founder at AttackIQ:
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
Anurag Kahol, CTO at Bitglass:
Throughout 2018 and 2019, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage. For example, leading cloud access security brokers (CASBs) provide cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA), and other capabilities that can give an organization confidence that its data is truly safe.”
Tim Mackey, Senior Technical Evangelist at Synopsys:
In this instance, the entire database for Gearbest’s global operations, and those of its sister companies, were left completely unsecured. This means that not only is personal information available to attackers, but also critical information like order history and payment details are readily available. Armed with this information, it’s possible to create a targeted profile of any users which includes personal preferences. While Gearbest has privacy statements indicating they don’t collect certain PII and what PII they do collect is secured, what VPNMentor uncovered shows a clear disconnect between the policy and its implementation.
This incident has clear lessons for anyone operating a website which collects or processes personal information:
- Follow OWASP guidelines and ensure all systems are properly secured
- Review privacy regulations not only for your jurisdiction, but also where your customers and users reside
- Do not collect or retain any information which doesn’t serve a clear purpose for your customers and users
- Ensure that any system which shouldn’t be accessible from the Internet can’t be
- Implement a security and incident response process which is responsive to issues the ethical hacking community uncovers”
Stephen Gailey, Head of Solutions Architecture at Exabeam:
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“The most shocking thing about this is the complete mistruth that was told to customers of Gearbest. Data at rest encryption was the promise and it doesn’t appear to have been the case at all. While breaches can be seen as almost unavoidable these days, encryption of the data stolen should be a given, especially given the sensitivity of the data Gearbest stored. Worryingly it’s not just the usual names, addresses, passwords and emails; the data includes passport details and national IDs. Gearbest don’t appear to have shown any care in segregating information, that while it’s all personal, it’s not equal.
“The data was linked so easily together that a complete profile of someone could be built that exposes the individual to identity fraud. There are many other risks that could now befall the individual customer and trying to fix this problem by invalidating their data by requesting new passports and national IDs is not only difficult, it’s sometimes impossible. Gearbest’s customers may have to accept that they’re forever exposed to additional risk thanks to the mismanagement of their data.
“It appears that Gearbest failed on two counts of poor configuration. First, they failed to protect a ‘big data’ elastic search setup and secondly, they failed to encrypt any of that data. Both of these are configuration and best practice problems and frankly there’s little excuse for not implementing them correctly. Ultimately if you can’t trust a company to get the basics right, definitely don’t trust them to keep you and your data safe.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.