Navionics Marina Navigation owned by Garmin has accidentally exposed the personal data of thousands of boat owners through a misconfigured MongoDB Server. The exposed data was found by a security researcher at Hacken io.
Ryan Wilk, VP of Customer Success at NuData Security:
“Just when you thought it was safe to go on the water, even there you can be exposed as this latest news demonstrates. Monitoring and securing data is a difficult task as most companies are finding out. Patching vulnerabilities, and reviewing security architecture and authentication is not a checkbox, but an ongoing process. Consumer data has been going through the meat grinder lately with the number of exposures, attacks and information that has been stolen, by cybercriminals. Once this information falls into the wrong hands it is used to make synthetic identities, and take over identities and accounts. To stop relying on static data that could have been stolen, companies are implementing layered defenses that include passive biometrics and behavioral analytics to identify consumers by their behavior. By doing so, inadvertent mistakes like a misconfigured database exposing personal information won’t put the victim’s identity at risk.”
Adam Brown, Manager of Security Solutions at Synopsys:
“The vulnerability that has resulted in this breach isn’t something that is peculiar to marine technology, which we have seen a lot of noise about this year. Instead, it is a systemic failing that many organisations across all verticals fall foul to when using cloud infrastructure. There are sometimes assumptions about cloud security that can leave security gaps. These assumptions do not consider the shared responsibility model necessary for security when using cloud providers. While the cloud provider is responsible for securing the infrastructure hardware, the software running on it and the configuration of that is still the responsibility of the organisation that uses it.
Security Misconfiguration is common enough to have made it to #6 in the OWASP top ten and this is a premium example of that. MongoDB ships by default with no enabled access control, as it needs to have users created otherwise it remains wide open. I would strongly recommend any cloud user organisation to undertake a cloud security configuration review. The use of standard techniques like penetration testing may fail to detect these implantation defects as many cloud providers firewalls / load balancers will simply deflect penetration test efforts.
Over and above this all software editors should have a deliberate, defined and supported effort for software security – a successful one would prevent terrible errors like this in future.”