data breach

The recent massive breach of sensitive Ecuador population data is yet another case, where there was no actual hack involved. The data owner, an Ecuadorian company Novaestrat, simply left an unsecured Elasticsearch database exposed on a publicly accessible server in Miami. The database contained data about 20 million individuals (Ecuador has a population of 16 million but some records were attributed to deceased individuals).

This is not the only breach caused by an exposed database and while Elasticsearch seems to be the most common platform, it is not the only one. Here are some examples from 2019 alone:

  • In August 2019: BioStar 2 (Elasticsearch, over 1 million records including fingerprints and facial recognition data)
  • In July 2019: Honda Motor Company (Elasticsearch, 134 million rows of data about company employees)
  • In June 2019: Chinese IoT device manufacturer, Orvibo (Elasticsearch, 2 billion device user records) and Thedatarepo (MongoDB, 188 million personal records)
  • In May 2019: Pyramid Hotel Group (Wazuh – open-source intrusion detection system, 85 GB of security logs including personal information) and India (MongoDB, 275 million personal records, unknown owner)
  • In March 2019: Bejing Jidao Network Technology (Elasticsearch, 33 million job profiles)
  • In February 2019: Dow Jones (Elasticsearch, 2.4 million client records) and (MongoDB, over 800 million email records)
  • In January 2019: Rubrik (Elasticsearch, tens of gigabytes of customer data) and CitiFinancial (Elasticsearch, 24 million mortgage records)

Why Does It Happen?

The database system developers are not to blame. For example, Elasticsearch by default binds to a local address and therefore does not publicly expose the database. It has to be manually bound to a public address.

Unfortunately, until May 2019, advanced security features in Elasticsearch were available only in the paid version. Therefore, many companies that opted to save money and choose the free version would have to use other means to secure the databases and they failed to do so. Many certainly still do, if they did not update the database software.

The primary reason behind such breaches is not technology but a lack of proper security policies in the business. Many still believe in security through obscurity: “If the database is not linked to, nobody will find it.” Others simply make configuration mistakes in database software and/or firewalls. Without proper security frameworks, this keeps happening and will keep happening.

How Can Acunetix Help?

In the case of security breaches via exposed databases and firewalls, the only way to protect yourself is via regular web and network vulnerability scanning for your entire infrastructure. You could, of course, perform such scanning manually but this is not viable in a business environment because it consumes a lot of resources and does not guarantee complete protection. Instead, you can use Acunetix for web vulnerability scanning and network vulnerability scanning. Acunetix can detect many exposed and unauthenticated databases (including Elasticsearch), as well as weak authentication (for example, common/default passwords).

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.