Two Elasticsearch Databases Found Unprotected
After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit.
A database breach exposed more than four million intern applications with personal and sensitive information on a server without a password. The database reportedly contained information included in applications that had been tagged as “opportunity applications” for AIESEC internships and “included sensitive information as email, full name, DOB, gender, plus a detailed description on their intentions for applying for AIESEC as well as interview details,” according to Diachenko’s blog post on SecurityDiscovery.
“Basically, AIESEC was using software that is great for giving their staff access to money-making data, but they focused far too little on protecting the data,” said LUCY Security CEO Colin Bastable.
“GDPR penalties apply to the global revenues of virtue-signaling nonprofits just as much as they do to their virtue-seeking corporate sponsors. I suspect they will get a slap on the wrist, and the IT budget will be invested appropriately in keeping Laurin Stahl out of the IT security press next year. There is probably a significant proportion of nonprofits that are vulnerable in this way, so they should take this as a warning to get serious about securing consumer data. The message for consumers is [that] you can’t trust any organization with your personal data, even if they are driven by the most noble ideals, so share with care.”
This is the second misconfiguration in an Elasticsearch database disclosed this week. News also broke that a password-less Elasticsearch server belonging to a variety of online casinos had compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more.
The payment card details indexed in the server were partially redacted, however, suggesting that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline on January 21, making it no longer accessible.
“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks, such as the VOIPo and Oklahoma Securities Commission’s latest incidents,” said Mark Weiner, CMO, Balbix.
He continued, “108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.”