Another day, another breach. A staggering new report from CyberNews, published today (March 20), claims the discovery of an unsecured database “comprising 800 gigabytes of personal user information. This included “more than 200 million detailed user records—putting an astonishing number of people at risk.”
According to the research team, the database was unsecured and unidentified. As the team continued to search for clues as to its errant owner, “on March 3, 2020, the entirety of the data present on the database was wiped by an unidentified party.”
The personal identifiable information in the database included names, email addresses, phone numbers and dates of birth. Even more alarmingly, though, the dataset also included credit ratings, mortgage and tax details, even investments, charity donations and personal interests.
The database was hosted on a Google Cloud server and, according to CyberNews “has been exposed for an unknown period.” Although the data has been wiped, the database itself remains online and accessible.
“Another day, another open database,” cybersecurity researcher Sean Wright said of the breach. “What frustrates me the most about these databases is that we used to purposely bury them deep within an organization’s network. So that if there was any misconfiguration, the risk would be minimized. Fast forward to today, and we put databases on a network directly facing the internet.”
It goes without saying, that the combination of data breached presents serious risks for the individuals involved. It is currently unknown whether bad actors detected or downloaded the dataset before it was wiped, if that did happen then there is every change the data will be sold and used.
Any individuals who use the checker and find their details were breached should take extra care to monitor their finances and any new applications taken out in their names. The use of some form of monitoring service would not be a bad idea for a period of time at least. Unfortunately, the party behind the breach unknown, it is impossible to take action against them to recover the costs of this.
“It’s difficult to understate the massive effect this data leak can have on hundreds of millions of people in the U.S.,” CyberNews says. The exposed data is “a virtual goldmine” for cybercriminals. Fortunately, without social security numbers, full-scale identity theft is not the risk it would otherwise be.
As cyber guru Ian Thornton-Trump warned, “over and over again businesses ask IT to deliver capability or storage, but thinks magically it will be secured by folks with no training and no guidance. Somehow as an industry, we just can’t manage to secure our data in the cloud.”
CyberNews told me that they had checked random entries on the database against social media and other online checks. they also checked with certain media figures that the details were correct. “Names, ages, locations, and emails matched,” they said, “which led us to believe the data was valid.”
As to who may have been behind this kind of database, “we suspect it belonged to a data marketing firm, or a credit or real estate company. One of the clues was the manner in which categories and sections were marked as codes in a fashion similar to dictionaries used by data marketers, and the codes were either specific to the U.S. Census Bureau or used in the Bureau’s classifications.”
“Everyone seems to be hyper focused on cybercrime, data breach and incident response,” Thornton-Trump told me, “but security teams are not doing audits of their own infrastructure to nab issues like this.”
There’s not much more to say—check the database and ensure you’re not on it.
“Organizations should look to using controls which limits public exposure to these databases, even if a misconfiguration occurs,” Wright advises. “I also worry that we are becoming fatigued by all these instances, such that people hardly pay any attention to them any more.”
We shall see.