198 Million Car-Buyer Records Exposed – Experts Comments

It has been reported that over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimised, targeted websites.

According to the researcher, the websites all provide car-buying research information and classified ads for visitors. They collect this info and send it on to franchise and independent car dealerships to be used as sales leads. The exposed database in total contained 413GB of data. The information included records with names, email addresses, phone numbers, physical addresses, IP addresses and other sensitive or identifiable information exposed to the public internet in plain text.


EXPERTS COMMENTS
Hugo van den Toorn, Manager, Offensive Security,  Outpost24
September 16, 2019
As datasets grow to these sized, the data is becoming increasingly valuable to our business and in some cases even more valuable than money.
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without us ....
[Read More >>]
Lisa Baergen, VP of Marketing ,  NuData Security
September 13, 2019
This technology helps verify people and detect unusual online patterns based on the user’s behavior.
Data in the wrong hands – especially personal information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Inte ....
[Read More >>]
Oscar Tovar, Application Security Specialist,  WhiteHat Security
September 12, 2019
Following best practices such as network segmentation and the 'least privilege' model help prevent these kinds of leaks from occurring.
Data leaks are something that should definitely be taken seriously. Not only do they damage a brand's reputation, but they also hurt the privacy of their clients. The biggest lesson that can be taken away is that all personal information should be treated with the highest of concern. There should not be any circumstance where private information storage is exposed publicly. There is not any margin ....
[Read More >>]
Anurag Kahol, CTO ,  Bitglass
September 12, 2019
As such, all companies, even those with limited IT resources, must take full responsibility for securing user data.
There are tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases – meaning it doesn't take much effort for outsiders to find unsecured databases. That is one of the reasons why abusing misconfigurations has grown in popularity as an attack vector across all industries, along with the continued carelessness of companies when it comes to cybersecurity. ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
September 12, 2019
Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data.
Not a week goes by without more companies exposing cloud-based data publicly. While on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have. Cloud services have made it incredibly easy, convenient, and cost-effective to store large amounts of data, and with modern websites and app ....
[Read More >>]
Israel Barak, Chief Information Security Officer ,  Cybereason
September 12, 2019
The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported.
The Dealer Leads breach is yet another reminder that this type of data exposure is far too commonplace, and a significant number of hacks this year have been a result of unsecured hosting. Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors. This breach once again highlights the advantage ....
[Read More >>]
Robert Ramsden Board, VP EMEA ,  Securonix
September 12, 2019
Those that choose to use cloud-based databases need to practice basic cyber hygiene.
Cloud storage misconfigurations exposing sensitive information online is becoming increasingly common demonstrating how some organisations are not taking security seriously enough. Those that choose to use cloud-based databases need to practice basic cyber hygiene when configuring and securing these systems. Data protection and privacy are paramount in today’s security landscape, and businesse ....
[Read More >>]
Warren Poschman, Senior Solutions Architect,  comforte AG
September 12, 2019
This starts with following best practices for configuration, something that is widely available for each platform.
With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s ti ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article