It has been revealed that a huge MongoDB database exposing 275,265,298 records of Indian citizens containing detailed personally identifiable information (PII) was left unprotected on the Internet for more than two weeks. Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache of PII data was first indexed on April 23, 2019.
Warren Poschman, Senior Solution Architect at comforte AG:
“If anyone is still snoozing while dreaming that their data is safe while “hidden in plain sight” on an “anonymous” cloud resource, the string of lapses around MongoDB instances is a wakeup call in the form of a 3 am fire alarm. Whether the database or cloud instance is properly secured or not, the data is still vulnerable since only the system is protected, not the data itself. Organizations need to adopt data security to protect their data, wherever it may exist or whoever may be managing it on their behalf. A data-centric security model allows data to be protected and used it while it is protected without losing the analytic value, something that is key for analytics and data sharing on cloud-based resources. These incidents would have been preventable with such a model – and if a security lapse does occur due to misconfiguration, the data still remains private.”
Ksenia Peguero, Senior Research Lead at Synopsys:
“The MongoDB database is, by default, installed without requiring a username and password. It uses the so called anonymous authentication. Although this incident doesn’t specify exactly how the data was accessed, there have been previous situations whereby data was stolen from MongoDB databases because secure authentication was not configured for them. This reminds us about the importance of secure defaults. When installing new software, check the default settings that it comes with and update them to the acceptable security level. Additionally, always update or turn off default credentials and set the proper access control if the tool does not come with it. For MongoDB specifically, it is important to create access credentials and turn off anonymous authentication before putting the database into production.”
Nabil Hannan, Managing Principal at Synopsys:
“Advanced persistent threats (APTs) are consistently scanning and scouring the internet for any information that they can gather. In most cases, databases and other computer systems are configured manually. This can lead to potential mistakes, especially when it comes to security configurations. It’s important to automate and regularly audit these configurations (both security and non-security configurations) to ensure that they are current and that they follow best practices.
It’s very unfortunate that 275M+ records of Indian citizens were breached in this particular situation. The types of data included in the database, particularly the PII data, is alarming. This situation isn’t reminiscent of a credit card breach in which an individual can simply request a new credit card to remedy the situation. Rather, individuals’ sensitive personal information has been permanently exposed. The best option for those affected is to pay for monitoring services to make an effort to catch any suspicious activities involving their personal information.”
Jonny Milliken, Manager of the Research Team at Alert Logic:
“This data leak once again demonstrates that when you use cloud services, you still need to take responsibility for your own part of the shared security model. There is a huge volume of similar instances of this happening right now, accessible over the internet. Anyone who runs MongoDB in the cloud should take this as a warning to review their infrastructure access immediately and deploy some automated system or service to tell you if it becomes exposed in the future. Eternal vigilance is the price of cloud computing.”
Jonathan Bensen, CISO at Balbix:
“Every company that suffers a data leak tends to issue a statement that discusses how they take data security and compliance very seriously, however if these companies actually took it seriously then they would have been leveraging advanced security solutions that could have proactively identified and remediated the gap in their security posture that caused the leak. Misconfigurations like this are, unfortunately, a dime a dozen. Companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once.
By leveraging security tools that employ artificial intelligence and machine learning to analyze millions of data signals to prioritize which vulnerabilities must be corrected first, based on risk and business criticality, organizations will be able to effectively remediate flaws that could facilitate data breaches.”
Brian Johnson, CEO and Co-founder at DivvyCloud:
“Though the legalities of this organization’s business practices are questionable, other companies should let this story serve as an example. Leaving servers unprotected seems like such a simple mistake to make, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day–most recently Freedom Mobile. The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments. Automated cloud security solutions enable companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.”
Gavin Millard, VP of Intelligence at Tenable:
“Another day, another huge repository of personally identifiable information (PII) has been discovered, exposed for anyone to rifle through and pilfer details.
“Verizon’s 2019 Data Breach Incident Report warned of an uptick in social engineering attacks against C-level executives. Repositories like this provide perfect fodder for these attacks as they contain the level of detail a bad actor needs to bring credibility to the language used. For example, an attacker could pretend to be from HR, IT or another department within the organisation, offering enough truth to trick a victim into disclosing information, sending documents or even performing a task they wouldn’t normally do that exposes the organization to further risk.
“The time of the unprotected MongoDB database or the open S3 bucket must end for everyone’s sake.”
Ryan Wilk, VP of Customer Success for NuData Security:
“Data in the wrong hands – especially detailed personally identifiable information – can have a huge impact on consumers. PII, combined with other user data from other breaches and social media, builds a complete profile. In the hands of bad actors, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans, and much more. Every hack has a snowball effect that far outlasts the initial breach. All customer information is valuable to hackers. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We need to protect all customer data, but more importantly, we need to make it valueless. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behavior. Analyzing customer behavior with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless. The balance of power will return to customer protection when more companies implement such techniques and technology.”