MoviePass Exposes 161M Records

It was recently reported that movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers because a critical server was not protected with a password. The database contained 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers. In fact, more than 58,000 records contained card data — and that number was growing by the minute.


EXPERTS COMMENTS
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
August 23, 2019
The data, once compromised, remains compromised.
As consumers, we expect organizations to do the basics to protect our data. Unfortunately, when they fail to do so, there’s not that much that consumers can really do to put the genie back in the bottle. The data, once compromised, remains compromised. The payment card industry data security standard (PCI DSS) has been around for more than a decade, and securing a database of card data with a password has been a basic requirement since the first version.
Jonathan Knudsen, Senior Security Strategist ,  Synopsys
August 22, 2019
Meaningful risk reduction occurs only when a security-first approach pervades every area of an organisation.
The security of an organisation is only as strong as its weakest link. In this case, one employee made one bad decision that had huge consequences. Even if products and services are created using a secure software development life cycle (SDLC), any victories there are negated when similar security-forward processes are not followed in deployment, operations, and elsewhere within the organization. Meaningful risk reduction occurs only when a security-first approach pervades every area of an organisation.
Matt Keil, Director of Product Marketing,  Cequence Security
August 22, 2019
These mistakes have become so frequent that we, as users, have become numb to the repeated human errors.
The exposure of credit card information by MoviePass along with the discovery of 1M+ user records including emails by Lucious.com are new examples in the increasingly long list of insecure databases due to human error. These mistakes have become so frequent that we, as users, have become numb to the repeated human errors. Where are the checks and balances to confirm the resource is protected? At a minimum, organizations should follow the recommendations outlined here.
Adam Laub, CMO,  STEALTHbits Technologies
August 22, 2019
Two sides of Story: (1) Data with sensitive data that is readable in plaintext, (2) Accessible from Internet.
There are really two separate, yet closely related components to this story. On one side you have a database rich with sensitive, personally-identifiable information that is readable in plaintext. On the other, you have a misconfiguration that allows anyone with internet access to view that information. Which is worse? Had the data been masked, the information would still be accessible, but perhaps not so immediately valuable. If access rights were configured properly and appropriately, this discovery might never have been made and there would be no story in the first place. The right answer is both, as a layered approach to security is the ideal scenario, but either could have conceivably been enough to make this a non-issue. While convenient to say in light of this particular situation, organizations of any type or size can drastically mitigate their risk of finding themselves in these types of situations by focusing their time on locating and limiting access to the data attackers would be most interested in, as well as verifying desired configurations are being adhered to across all devices and information assets.
Chris DeRamus, CTO and co-founder,  DivvyCloud
August 21, 2019
Ignoring vulnerabilities that are reported by white hat hackers is not a wise move.
Leaving 58,000+ records containing payment card data unencrypted on a publicly accessible database is concerning, however, the fact that MoviePass initially ignored the vulnerability when it was notified is even worse. Misconfigurations like this are frequent, and enterprises should be thankful when white hat security researchers flag vulnerabilities before they can be exploited. Consumers that trusted MoviePass with their data expect their personally identifiable information to be protected with mature security controls. Within the months that MoviePass’ database was exposed, cybercriminals not only could have made fraudulent purchases, but they also could have launched phishing attacks against MoviePass customers to gain access to additional sensitive information. MoviePass joins Honda, AavGo, Rubrik, Gearbest and countless other organizations this year to fall victim to data leaks via cloud service misconfigurations. The truth is, most companies still lack the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions must be a priority for all companies that are using cloud services. Without these tools in place companies will continue to lack the ability to detect misconfigurations and alert the appropriate personnel to correct the issue or better drive automated remediation in real time.
Robert Prigge, President,  Jumio
August 21, 2019
Today's MoviePass breach is potentially massive in scale given the 161 million record database that was breached.
Another week, another data breach. Today's MoviePass breach is potentially massive in scale given the 161 million record database that was breached. It's a little bit unclear how many of these records included sensitive consumer data, but what we should all expect is that a healthy chunk of this data will ultimately find a happy home on the dark web. What's also clear is that KBA (knowledge-based authentication), which relies on the notion of shared secrets, should be heavily scrutinized as a reliable means of authentication. Why? Given that more and more of our supposed shared secrets are now available for pennies on the dark web, the job of the fraudster -- especially those focused on account takeovers -- just got a little bit easier.
Kevin Gosschalk, CEO,  Arkose Labs
August 21, 2019
Consumers trust companies with their data, so much so that they save their payment and personal credentials for future use.
Companies must realize that digital commerce is built on data and convenience. Far too often data breaches occur due to companies leaving their databases unprotected, as witnessed last week with the first biometric database breach. Unfortunately, MoviePass suffered a breach because of the same severe lapse of security. Consumers trust companies with their data, so much so that they save their payment and personal credentials for future use. They expect their information to be protected by the platform. Technically, this breach can be interpreted as the company giving away customer data for free. Furthermore, the breached data includes personally identifiable information (PII) and payment card information (PCI), leaving impacted customers vulnerable to future fraud or phishing attacks. Unlike credit cards, debit cards don’t offer the same protection to customers. When a fraudulent transaction occurs on your credit card, you have lost no money and the issue will never impact your bank account. With a debit card, your bank account balance is directly affected from the moment the fraudulent transaction takes place. While the customers can put a hold on their cards, timing is the key in these types of situations. As this database was left publicly accessible, reportedly for months, companies must learn from MoviePass’s mistake and implement a proactive approach to fraud prevention that safeguards their customers’ data.
Stephan Chenette , Co-Founder and CTO,  AttackIQ
August 21, 2019
Any organization that collects and stores consumer data must make protecting that data a priority.
Because a database was left publicly accessible, reportedly for months, at least 58,000 records related to MoviePass customers are vulnerable to misuse and abuse at the hands of cybercriminals. At its peak, MoviePass boasted more than 3 million customers in June 2018, so it’s entirely possible we’ll see the number of impacted individuals grow exponentially. Any organization that collects and stores consumer data must make protecting that data a priority. A mistake such as leaving a database publicly exposed can happen with just a couple commands or lines of code, but have devastating repercussions. Companies must take on the responsibility of analyzing the security of their environments on a continuous basis – not just periodically – and continuously test the efficacy of their security controls to ensure any vulnerabilities are identified and remediated in a timely manner.
Anurag Kahol, CTO ,  Bitglass
August 21, 2019
Data is not truly secure if the encryption key is stored within the app that also holds the encrypted data.
The type of data exposed by MoviePass puts customers at risk of highly targeted phishing attacks and identity theft – a position in which no company ever wants to place its customers. What stands out about this incident is the amount and type of data that was stored in plaintext and ultimately was left publicly accessible. Companies should always encrypt sensitive data – even when it is used solely for internal purposes. Best practice also dictates that companies should employ a bring-your-own-key (BYOK) approach whereby they maintain control of their own encryption keys. Data is not truly secure if the encryption key is stored within the app that also holds the encrypted data. When organizations select a security platform, they must ensure that it provides the breadth and depth of capabilities needed to maintain complete visibility and control over corporate data in the cloud. Fortunately, cloud access security brokers (CASBs) offer organizations everything that they need for comprehensive protection. For example, leading CASBs can enforce real-time access control, encrypt sensitive data at rest, detect misconfigurations through cloud security posture management (CSPM), control the sharing of data with external parties, and prevent the leakage of sensitive information.
Vinay Sridhara, CTO,  Balbix
August 21, 2019
Proactively managing risk must become the new norm and is a requirement for successful cybersecurity practice.
Leaving sensitive customer data unencrypted on an exposed database could not have come at a worse time for MoviePass as it is still recovering from a series of unfortunate events like decline in customer base, its forced reset of users’ passwords in April 2019, and the emergence of Regal Entertainment’s competing service. The payment information and other personally identifiable information (PII) present in the database is more than enough for threat actors to make fraudulent purchases or even quickly flip this information on the dark web for a premium. In order to restore their brand image and customer trust, MoviePass must make cybersecurity a priority and continuously monitor all IT assets across hundreds of attack vectors to detect vulnerabilities. The key to thwarting future attacks is to leverage security tools that employ AI and ML to observe and analyze the entire network in real time and derive insights in order to prioritize the vulnerabilities that need to be fixed. In MoviePass’ case, this misconfigured database would have been prioritized. Proactively managing risk must become the new norm and is a requirement for successful cybersecurity practice.
Ben Goodman, Senior Vice President, Global Business and Corporate Development,  ForgeRock
August 21, 2019
Corporations must utilize security strategies that leverage real-time, contextual and continuous security.
MoviePass reportedly obstructed its customers from buying tickets by forcibly changing user passwords in April 2019. According to a recent survey from PwC, 87% of consumers take their business elsewhere if they do not trust a company is handling their data responsibly, so it will not be surprising if affected customers take their business to alternative services like Regal Entertainment’s Regal Unlimited instead. It is critical that all organizations understand the serious risk associated with a breach of customer information, including data leaks due to misconfigurations. Corporations must utilize security strategies that leverage real-time, contextual and continuous security that identify anomalous behavior and prompt further action, such as identity verification when an unknown user is accessing a database of customer information, to put more barriers between threat actors and sensitive information.

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article