Unprotected ElasticSearch database exposed 24m banking docs
News / Unprotected ElasticSearch database exposed 24mn banking and financial docs
24 January 2019
An Elasticsearch database containing more than 24 million banking and financial documents, mostly digitised credit and mortgage reports, was found to have been stored on a cloud server without any password protection by a security researcher.
The said database was found containing 51GB of confidential financial and banking data that could easily be used by any opportunistic cyber criminal to carry out identity fraud, file false tax returns, and avail loans and credit cards in the name of innocent citizens.
Elasticsearch Database contained PII of thousands of Americans
“These documents contained highly sensitive data, such as social security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” said Bob Diachenko, the security researcher who unearthed the database.
After investigating the nature of the data, he determined that the company that uploaded the sensitive documents to the database was Ascension Data & Analytics, a firm that specialises in a variety of products and services for the financial industry in the United States.
“We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cybercriminals to manage the entire system with full administrative privileges.
“Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains,” he added.
Commenting on the discovery of the unprotected Elasticsearch database, High-Tech Bridge’s CEO Ilia Kolochenko said that numerous suppliers and partners may urgently need their data for various legitimate business purposes, but fail to maintain appropriate internal security controls.
Hundreds of unprotected databases hosted on the cloud
“Third-party risk management is not a silver bullet either, as quite frequently access to data is time-sensitive and many companies are prone to close their eyes to some of the imperfections of the third-party security mechanisms. A large-scale scan of the Internet, will likely produce hundreds, if not thousands of similar databases with critical, sensitive and privileged data being hosted somewhere without any protection,” he said.
“From a legal point of view, the companies whose negligence leads to data exposure may be liable for considerable financial penalties and/or face individual and even class action lawsuits. Security researchers who access and process the data should also be careful, as under certain circumstances they may break the criminal law and also expose themselves to other legal ramifications,” he added.
In November last year, Diachenko had also spotted an unprotected ElasticSearch database that contained detailed personal records, including personally identifiable information, of millions of U.S. citizens.
According to Diachenko, the unprotected Elasticsearch database contained first names, last names, employers, job titles, email addresses, home address, state, zip, phone numbers, and IP addresses of 56,934,021 US citizens and another index of the same database containing over 25 million data records including names, company details, zip addresses, carrier routes, latitude/longitudes, census tracts, phone numbers, web addresses, email addresses, employees count, revenue numbers, NAICS codes, and SIC codes.
In the same month, Diachenko had unearthed another unprotected cloud database hosted by data aggregator Adapt that contained over 9.3 million data records, including personal data as well as job descriptions of millions of individuals.
The database contained as many as 9,376,173 personal data records that included first and last names, phone numbers, name of the companies where the individuals were employed, job titles, job descriptions, list of company domains, industry, company revenue, email confidence scores, total contacts available in the company, and emails of every contact in the company.