News is breaking that a huge database with over 114 million records of US citizens and companies has been discovered sitting online unprotected. The number of individuals impacted by the exposure is estimated to almost 83 million. Researchers from HackenProof, a penetration testing company based in Estonia, found the massive cache of data via the Shodan search engine, in two Elasticsearch indices.
One of the instances contained personal information of 56,934,021 US citizens, including sensitive details like full name, employer, job title, email and street address, ZIP code, phone number, and an IP address. “Another index of the same database contained more than 25 million records with more of a “Yellow Pages” details directory: name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc,” the company informs in a blog post.
Industry leaders commented below.
Corin Imai, Senior Security Advisor at DomainTools:
“This is an astounding amount of data to be left unprotected online, leaving 83 million Americans vulnerable. It goes to show that while we have made significant steps in data protection in recent years, we have a long way to go. Not only the volume but the content of the data available means that hackers have a wide variety of avenues from which to approach potential victims in order to attempt a social engineering campaign. Organisations are also left wide open by this data, which could facilitate BEC fraud and the serious financial consequences associated with it. American companies and consumers should (as always) be exercising extreme caution when responding to unsolicited emails, and clicking on email links.”
Ryan Wilk, VP at NuData Security:
“This is a vast sum of data to be available online in an unprotected format, and is yet another example of organisations not taking data protection in any way seriously. The information available is a hacker’s dream, with more than enough information to pull off a social engineering campaign which could compromise a wide range of accounts, ranging from consumer accounts with retailers to bank accounts or sensitive documents. Programmes of passive biometrics and two factor authentication are needed across the board if we are to differentiate between legitimate and bad users following breaches such as this.”
Tim Erlin, VP at Tripwire:
“If you leave unsecured data on the Internet, it will eventually be discovered and either exploited, reported or both.
Discovering the data is the first step, but identifying the responsible organization or individual will come next. We should all be waiting for the other shoe to drop on this story.
Technology can solve a lot of problems, but security still requires a careful review and implementation of the basics. These types of incidents don’t require sophisticated hackers or nation-state cyberwar budgets. Anyone with the time and an Internet connection can find this data.”
Julien Cassignol, IAM Specialist at One Identity:
“It might be quite possible that at one point, for automation or in production, we end up with sensitive information in elastic indices. What then can be done to protect these indices?
It all has to do with identity. Who’s supposed to access this information? Who *actually* has access to this information at a given time? Can we assess the risk that is linked to people being able to see this data? How is it mitigated?
There are several ways to tackle this problem. First and foremost, organisations should consider identity as the new perimeter. Properly defined identity, managed through the entire “flow” of communication from user to data, linked to appropriate entitlements and authenticated using the appropriate means – be it through a password, MFA, or biometrics – is paramount.
Accesses to this data have to be made in a legitimate context. Which then opens the second part of this Pandora’s box: which accesses have been made, whom by, and for what purpose? How are these accesses audited? Were they made by a privileged user or by a legitimate business user? Were they made by APIs?
It seems quite clear that it is best practice to enforce authentication at the very beginning of such accesses. That this data could be accessible without any authentication, let alone identification, is what’s key here: there are such commandments as “Know thine users”, “Know their entitlements”. If no authentication was provided, the first commandment was broken and instead of protecting the perimeter by the means of identity, we end up having to audit post mortem tracks of the intruders to hopefully get an idea of what they did and who they were. As a modern-day hunter “tasting” the logs and judging how long ago the breach took places is determined by looking at the “tracks” in the system.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan, Inc.
“The treasure trove of personally identifiable data on the “Legitimate Web” and the Dark Web just continues to grow enabling fraudsters and steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal obtained in the one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches. Having the databases in the same place makes things even easier for the bad guys.
“Cyberattacks will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.”
Tom Garrubba, Sr. Director at Shared Assessments:
“This is of course a major data breach and, at the root of it, appears to have been a user error (i.e., “misconfiguration of the Elasticsearch instances” allowing public access to the data without authentication). We cannot stress enough of the importance of established checks and balances, segregation of duties, etc., to be defined in procedures and followed with appropriate sign-offs by management. With an estimated number of affected citizens to be almost 83 million it appears the hackers struck a gold mine. The only hope left here is that there are some iron pyrite – or “fool’s gold” records (meaning – old and no longer usable) – mixed in with the gold of actual current individual records.”