Unprotected MongoDB Exposes Over 200 Million Resumes

By   ISBuzz Team
Writer , Information Security Buzz | Jan 12, 2019 05:42 am PST

A huge MongoDB database containing over 200 million records with resumes from job seekers in China was left unprotected for at least one week with anyone able to locate it. The size of the cache weighed 854GB. The information exposed this way, 202,730,434 records in total, includes all the details one would expect to see in a resume: personal information (full name, date of birth, phone number, email address, civil status), professional experience and job expectations.

Expert comments below:

Jonathan Deveaux, Head of Enterprise Data Protection at Comforte:

isbuzz expert 9

“In the case of this data breach, or data exposure, the unprotected data was open and available for about a week, according to the report. Forensics from past data breaches have revealed that outside access to data was typically available for months, and sometimes years. Therefore, one might say that the owners of this database were ‘lucky’ that the data was only exposed for a week.

Another interesting detail about this data exposure incident is that the personal information resided in a MongoDB database.  A quick view of the MongoDB website states that it is a document database that is highly scalable and flexible.  And it’s free and open source. Does technology that is free and open source mean its unsecured?  NO, but often data protection and privacy are applied *after* the initial objectives are met. This could mean that data is exposed and is unprotected for a while.

It is the responsibility of the administrator of the database, and ultimately the organisation collecting and storing the data, to enact effective data protection and privacy methods. An 854GB cache of data with 200 million records initially doesn’t seem to be small, however, in the daily workload of an organisation, it is possible that securing this database may have been missed.

No matter what the reason is behind this data exposure, this incident surely points out that any kind of data could be at riskatany given time. More must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimise exposures of all sizes.”