Companies leaving their customer databases unsecured have become regular news. In a new development, a researcher has found a whopping 413GB unsecured trove of user information maintained by a data-harvester.
An Elastic database belonging to automobile marketer Dealer Leads has left over 198 million records exposed, which held consumer data including loan and finance details, vehicle information and IP addresses for website visitors, wrote Security Discover researcher Jeremiah Fowler.
"I initially thought this database could be a directory, but there would not be such detailed information or back-end records. Another concern was that there were so many different websites that it almost seemed illogical that they could be owned by one organisation," he wrote in his report.
"Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com."
DealerLeads is an automotive digital marketing player, which collates vehicle user data and links them to providers of sales, services and finance. All the details were interlinked and together made a massive and highly targeted network of websites.
"All of the content is relevant and related to the auto industry or other specific target keywords and this gives the links more value in Google’s eyes. When those links are pointed at a new domain or a primary domain, it’s value will theoretically skyrocket when that value is passed from site to site. This also explained why there were so many unique domains inside the database," wrote Fowler.
"There is nothing wrong with this method and as we see it is very effective. Google changed their algorithms in 2012 to throw the little guys under the bus, so this is the reason why organisations of every size need complex SEO strategies to compete with Google’s advertising revenue goals," Fowler explained.
Following best practices such as network segmentation and the least privilege model help prevent these kinds of leaks from occurring, said Oscar Tovar, application security specialist at WhiteHat Security.
"Network segmentation is highly important as it prevents high exposure of internal infrastructure. Furthermore, giving only users the least amount of necessary privileges to data access lessens the probability of a data leak," he told SC Media UK.
"Surprisingly, these heavily recommended practices are not followed commonly. A simple search on shodan.io will show a plethora of S3 buckets, and Database API Endpoints that are publicly accessible without any security restraints."
For Dealer Leads, all that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections, said Jonathan Knudsen, senior security strategist at Synopsys.
"Simple, fundamental security policies that cost very little to implement can dramatically reduce risk and provide a springboard to implementing a more comprehensive software security initiative. When in doubt, bring in a partner who can help you get started," he said.
What complicates the issue is that the consumers who were profiled in this database has no way of restricting the way their details are being shared.
"Because of the size and scope of the network applicants and potential customers may not know if their data was exposed. Also, when contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold, or shared via DealerLeads," Fowler pointed out.
"This type of data exposure is far too commonplace, and a significant number of hacks this year have been a result of unsecured hosting," said Israel Barak, chief information security officer at Cybereason. "Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors."