MoviePass Exposes 161M Records

It was recently reported that movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers because a critical server was not protected with a password. The database contained 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers. In fact, more than 58,000 records contained card data — and that number was growing by the minute.


EXPERTS COMMENTS
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
August 23, 2019
The data, once compromised, remains compromised.
As consumers, we expect organizations to do the basics to protect our data. Unfortunately, when they fail to do so, there’s not that much that consumers can really do to put the genie back in the bottle. The data, once compromised, remains compromised. The payment card industry data security standard (PCI DSS) has been around for more than a decade, and securing a database of card data with a ....
[Read More >>]
Jonathan Knudsen, Senior Security Strategist ,  Synopsys
August 22, 2019
Meaningful risk reduction occurs only when a security-first approach pervades every area of an organisation.
The security of an organisation is only as strong as its weakest link. In this case, one employee made one bad decision that had huge consequences. Even if products and services are created using a secure software development life cycle (SDLC), any victories there are negated when similar security-forward processes are not followed in deployment, operations, and elsewhere within the organization. ....
[Read More >>]
Matt Keil, Director of Product Marketing,  Cequence Security
August 22, 2019
These mistakes have become so frequent that we, as users, have become numb to the repeated human errors.
The exposure of credit card information by MoviePass along with the discovery of 1M+ user records including emails by Lucious.com are new examples in the increasingly long list of insecure databases due to human error. These mistakes have become so frequent that we, as users, have become numb to the repeated human errors. Where are the checks and balances to confirm the resource is protected? At a ....
[Read More >>]
Adam Laub, CMO,  STEALTHbits Technologies
August 22, 2019
Two sides of Story: (1) Data with sensitive data that is readable in plaintext, (2) Accessible from Internet.
There are really two separate, yet closely related components to this story. On one side you have a database rich with sensitive, personally-identifiable information that is readable in plaintext. On the other, you have a misconfiguration that allows anyone with internet access to view that information. Which is worse? Had the data been masked, the information would still be accessible, but perhap ....
[Read More >>]
Chris DeRamus, CTO and co-founder,  DivvyCloud
August 21, 2019
Ignoring vulnerabilities that are reported by white hat hackers is not a wise move.
Leaving 58,000+ records containing payment card data unencrypted on a publicly accessible database is concerning, however, the fact that MoviePass initially ignored the vulnerability when it was notified is even worse. Misconfigurations like this are frequent, and enterprises should be thankful when white hat security researchers flag vulnerabilities before they can be exploited. Consumers that tr ....
[Read More >>]
Robert Prigge, CEO,  Jumio
August 21, 2019
Today's MoviePass breach is potentially massive in scale given the 161 million record database that was breached.
Another week, another data breach. Today's MoviePass breach is potentially massive in scale given the 161 million record database that was breached. It's a little bit unclear how many of these records included sensitive consumer data, but what we should all expect is that a healthy chunk of this data will ultimately find a happy home on the dark web. What's also clear is that KBA (knowledge-based ....
[Read More >>]
Kevin Gosschalk, CEO,  Arkose Labs
August 21, 2019
Consumers trust companies with their data, so much so that they save their payment and personal credentials for future use.
Companies must realize that digital commerce is built on data and convenience. Far too often data breaches occur due to companies leaving their databases unprotected, as witnessed last week with the first biometric database breach. Unfortunately, MoviePass suffered a breach because of the same severe lapse of security. Consumers trust companies with their data, so much so that they save their pa ....
[Read More >>]
Stephan Chenette , Co-Founder and CTO,  AttackIQ
August 21, 2019
Any organization that collects and stores consumer data must make protecting that data a priority.
Because a database was left publicly accessible, reportedly for months, at least 58,000 records related to MoviePass customers are vulnerable to misuse and abuse at the hands of cybercriminals. At its peak, MoviePass boasted more than 3 million customers in June 2018, so it’s entirely possible we’ll see the number of impacted individuals grow exponentially. Any organization that collects and ....
[Read More >>]
Anurag Kahol, CTO ,  Bitglass
August 21, 2019
Data is not truly secure if the encryption key is stored within the app that also holds the encrypted data.
The type of data exposed by MoviePass puts customers at risk of highly targeted phishing attacks and identity theft – a position in which no company ever wants to place its customers. What stands out about this incident is the amount and type of data that was stored in plaintext and ultimately was left publicly accessible. Companies should always encrypt sensitive data – even when it is used s ....
[Read More >>]
Vinay Sridhara, CTO,  Balbix
August 21, 2019
Proactively managing risk must become the new norm and is a requirement for successful cybersecurity practice.
Leaving sensitive customer data unencrypted on an exposed database could not have come at a worse time for MoviePass as it is still recovering from a series of unfortunate events like decline in customer base, its forced reset of users’ passwords in April 2019, and the emergence of Regal Entertainment’s competing service. The payment information and other personally identifiable information (P ....
[Read More >>]
Ben Goodman, Senior Vice President, Global Business and Corporate Development,  ForgeRock
August 21, 2019
Corporations must utilize security strategies that leverage real-time, contextual and continuous security.
MoviePass reportedly obstructed its customers from buying tickets by forcibly changing user passwords in April 2019. According to a recent survey from PwC, 87% of consumers take their business elsewhere if they do not trust a company is handling their data responsibly, so it will not be surprising if affected customers take their business to alternative services like Regal Entertainment’s Regal ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article