Much like death and taxes, the inevitable has happened, another company has exposed its customer data. Who’s the culprit this week? FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody.
According to TechCrunch, last week, three FitMetrix servers were found by a security researcher to be leaking customer data. How long the servers remained exposed is unknown, but in September, the servers were indexed by Shodan, a search engine for open ports and databases.
The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.
What data was exposed?
More than 113.5 million records (though it remains unclear how many users were affected). “Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more.”
Out of the box, DivvyCloud’s software would have detected this misconfigured instance and automated the remediation to close this vulnerability in real-time.
Like so many AWS, GCP, Azure, and Alibaba cloud services, AWS ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.
First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.
DivvyCloud solves these challenges for customers like General Electric, Discovery Communications, and Fannie Mae using cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of cloud and container infrastructure allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.
In a nutshell, we mitigate security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure.