It has been reported that a MongoDB database was exposed online that contained health care information for 2 million patients in Mexico. This data included information such as the person’s full name, gender, date of birth, insurance information, disability status, and home address. IT security experts commented below.
David Johansson, Principal Consultant at Synopsys:
“This is not the first time something like this happens, and unfortunately it won’t be the last time either. A very similar incident affected Mexican voter records a few years ago, where data about 93.4 million voters were exposed from a misconfigured MongoDB server.
The reason this happens is often because someone installs a MongoDB database without configuring it securely, and unfortunately MongoDB had many insecure default settings that are not suitable for a production environment:
Database server is exposed on all network interfaces by default, which means it’s directly exposed to hackers on the Internet if the server is connected to the Internet and not protected properly.
MongoDB database does not require authentication to connect by default, which means anyone with network access to the database server can query and retrieve data from it.
These are two of the most important settings that need to be changed and configured securely when installing MongoDB, especially on Internet-facing servers.”
“Any time data is left unprotected it represents an issue for the organisation in question as well as the individual, but healthcare data can be particularly damaging to those involved. This kind of PII is among the most sensitive that you can imagine, and provides insight into an individual that cybercriminals could use for further cybercrime such spear phishing, blackmail or even identity fraud. The database, which was not even password protected, is a telling example of why organisations need to move past the password/username model of authentication, instead focusing on the more secure methods of passive biometrics in combination with two-factor authentication.”
Ilia Kolochenko, CEO at High-Tech Bridge: “Recurrent researches of popular open source software conducted by High-Tech Bridge suggest that many more bugs likely remain undetected. Nonetheless, the remediated vulnerabilities definitely brings OpenERM to a better overall security level and probably even cover some 0days exploited in the wild by cybercriminals.
Now, however, the main risk for the patients and their data will be medical institutions who may unreasonably delay patching or even won’t patch at all. Attackers will certainly start exploiting the vulnerabilities found very soon, as health records can be traded at a very attractive price on the Black market. “
Javvad Malik, Security Advocate at AlienVault:
“This incident shows how trivial it is for anyone using Shodan or similar search tools to find services exposed publicly. Couped with how easy it is for companies to upload entire databases to the cloud, and how frequently such breaches appear to occur – it is important that companies undertake at least some basic assurance checks to validate that privacy and security settings are configured appropriately. Furthermore, monitoring should be put in place to detect any unauthorised access or activity.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.