Researchers have discovered financial data, personally identifiable information (PII), and real-time location of millions of Chinese users have been leaked by an open Elastic cluster hosted on infrastructure owned by Aliyun Computing Co (also known as Alibaba Cloud). The highly sensitive information was added to the publicly-accessible database by over 100 mobile loan-related apps used by Chinese people when applying for loans.
The leaked database (over 899GB) was open and growing for at least two weeks before being shut down. Chinese citizens who have used one of these apps have had their data put at risk, with the amounts borrowed shared.
Other private data at risk includes:
- A simple search uncovered credit evaluations reports which contain loan records, real ID numbers and personal details such as names, addresses and contact numbers.
- SMS logs have been leaked, as well as details of contacts and mobile billing invoices, including credit and debit card details.
- Detailed tracking of app behaviour for those who have been affected, including device location and information such as passwords with MD5 encryption, which can be decoded.
Experts Comments:
Warren Poschman, a Senior Solutions Architect at comforte AG:
Javvad Malik, Security Awareness Advocate at KnowBe4:
However, in this case, there is a second issue whereby there appeared to be an excessive amount of data being collected on individuals ranging from PII to real-time location data. Companies need to be wary of what data they collect and for which purposes. Just because it’s technically possible to collect and store data, it doesn’t mean that it’s the right thing to do.”
Dan Tuchler, CMO at SecurityFirst:
Tim Mackey, Principal Security Strategist at Synopsys:
- Monitor insurance statements against actual dates and procedures performed to ensure insurance fraud isn’t the path of attack.
- Don’t trust any email or phone attempts to collect payment on past services. Instead, obtain the phone number of the collection firm, validate it against their public presence and call your provider directly. Often providers will accept payment for bills transferred to collection, if they don’t their billing department should be able to confirm the legitimacy of the collection attempt.
- Advise family members to not respond to any inbound attempts to sign up for services based on your medical condition. Attackers look for a path of least resistance, and might find a ready victim in concerned family members.
Health care providers should be concerned about supply chain attacks and be more rigorous in their service provider reviews. This is particularly challenging for smaller medical practices where IT skills may be less than at larger providers. That being said, with LabCorp and Quest Diagnostics impacted by this breach, providers of all sizes should be asking hard questions like:
- What protections are in place to ensure only authorised individuals can access our data? The response should also include how access to backups is managed.
- What methods are in place to identify and differentiate legitimate access from an unauthorised access?
- Does an incident response plan exist? If so, how often is it reviewed and exercised?
- Following an incident involving any unauthorised access to our data, how long will it take before we’re notified and from whom will that notification come from?”