Researchers have discovered financial data, personally identifiable information (PII), and real-time location of millions of Chinese users have been leaked by an open Elastic cluster hosted on infrastructure owned by Aliyun Computing Co (also known as Alibaba Cloud). The highly sensitive information was added to the publicly-accessible database by over 100 mobile loan-related apps used by Chinese people when applying for loans.
The leaked database (over 899GB) was open and growing for at least two weeks before being shut down. Chinese citizens who have used one of these apps have had their data put at risk, with the amounts borrowed shared.
Other private data at risk includes:
- A simple search uncovered credit evaluations reports which contain loan records, real ID numbers and personal details such as names, addresses and contact numbers.
- SMS logs have been leaked, as well as details of contacts and mobile billing invoices, including credit and debit card details.
- Detailed tracking of app behaviour for those who have been affected, including device location and information such as passwords with MD5 encryption, which can be decoded.
Experts Comments:
Warren Poschman, a Senior Solutions Architect at comforte AG:
“This appears to be a classic case of wanting to invest in cool technology but not understanding the security ramifications of that technology. Organizations need to adopt data security to protect their data, wherever it may exist or whoever may be managing it on their behalf. A data-centric security model allows a company to protect data and use it while it is protected for analytics and data sharing on cloud-based resources. These incidents would have been preventable with such a model – and if a 3rd party or partner has a security lapse, instead of trying to shift blame, we would be talking about how they proactively protected users from such threats.”
Javvad Malik, Security Awareness Advocate at KnowBe4:
“Cloud-based storage is very convenient and easy to use. It’s scalable and always available – allowing for a multitude of data to be easily and efficiently imported and stored. However, it is also just as easy to misconfigure databases to leave them exposed to the world. It is why it’s important to have assurance procedures in place to validate environments are set up correctly.
However, in this case, there is a second issue whereby there appeared to be an excessive amount of data being collected on individuals ranging from PII to real-time location data. Companies need to be wary of what data they collect and for which purposes. Just because it’s technically possible to collect and store data, it doesn’t mean that it’s the right thing to do.”
Dan Tuchler, CMO at SecurityFirst:
“We continue to see PII data exposed, in this case detailed information on Chinese citizens. Five forces are arrayed against the hackers and others exposing private data: one, growing impact of regulations like GDPR; two, security researchers uncovering unsecured data; three, vendors providing more sophisticated protections; four, enterprises and other data owners paying more attention to security; and five, most importantly, customers becoming more concerned about the security of their own private data. Customers are driving the others to take more action. Security researchers may be the unsung heroes in this battle for data privacy – finding open data stores, resulting in quick corrective action. But the data has already been exposed – in this case enough to build a very detailed profile of Chinese citizens including their mobile phone activity and physical location.”
Tim Mackey, Principal Security Strategist at Synopsys:
“Patients of any health care data beach should be concerned more about their health information than their credit card data being in the hands of malicious organisations. A variety of highly targeted attacks on consumers are possible when armed with the information Clinical Pathology Laboratories disclosed to have been part of the breach. Unlike with credit related incidents, there is no concept of a “credit freeze” option to mitigate ongoing damage from a breach nor is there typically a concept of changing a subscriber number from an insurance provider. This means that consumers need to highly vigilant when dealing with data breaches involving health care data. Some items to consider:
- Monitor insurance statements against actual dates and procedures performed to ensure insurance fraud isn’t the path of attack.
- Don’t trust any email or phone attempts to collect payment on past services. Instead, obtain the phone number of the collection firm, validate it against their public presence and call your provider directly. Often providers will accept payment for bills transferred to collection, if they don’t their billing department should be able to confirm the legitimacy of the collection attempt.
- Advise family members to not respond to any inbound attempts to sign up for services based on your medical condition. Attackers look for a path of least resistance, and might find a ready victim in concerned family members.
Health care providers should be concerned about supply chain attacks and be more rigorous in their service provider reviews. This is particularly challenging for smaller medical practices where IT skills may be less than at larger providers. That being said, with LabCorp and Quest Diagnostics impacted by this breach, providers of all sizes should be asking hard questions like:
- What protections are in place to ensure only authorised individuals can access our data? The response should also include how access to backups is managed.
- What methods are in place to identify and differentiate legitimate access from an unauthorised access?
- Does an incident response plan exist? If so, how often is it reviewed and exercised?
- Following an incident involving any unauthorised access to our data, how long will it take before we’re notified and from whom will that notification come from?”
