This misconfiguration epidemic has seen the theft or loss of more than 14 billion data records in the last five years as reported by Breach Level Index.
Misconfiguring a cloud database, storage container, or search engine can have massive consequences, especially if they contain personal information. Just ask Facebook, when earlier this year, 540 million user records were exposed due to a misconfigured S3 bucket. A publicly accessible MongoDB database with misconfigured settings put Verification.io in the news when they exposed 150 gigabytes of customer data. Elasticsearch, a more recent culprit, left companies including Rubrik, Voipo, Meditab, and Dow Jones with exposed caches of customer information on publicly exposed servers without passwords, and now we can add one more to the list.
TechCrunch reported that another company has misconfigured an Elasticsearch server. Ladders, a popular U.S. based recruitment company exposed over 13 million user records when they left their Elasticsearch server publicly exposed without a password. Ladders joins the rapidly growing list of organizations who have fallen victim to the 2019 trend of misconfiguring Elasticsearch databases.
Here are eight other orgs this year that have misconfigured Elasticsearch servers:
- Voipo: Telecoms company that provides VoIP services
- Mountberg Limited: Online casino group
- Ascension: Data and analytics company for the financial industry
- Rubrik: IT security and cloud data management
- Dow Jones: Stock market index
- Gearbest: Chinese ecommerce company
- Meditab: Health tech company
- Steps to Recovery: Addiction Rehabilitation Organization
What happened this time?
Ladders left an Elasticsearch server unprotected, without a password. Though we aren’t exactly sure how that happened, we can assume that a developer may have tweaked the configuration as a part of troubleshooting, and once the application began working again, they moved on to another project completely forgetting about the unprotected Elasticsearch server. There are dozens of situations that may result in changes to cloud asset configurations. Organizations are often made vulnerable because they don’t have processes in place to prevent or manage improperly secured software configurations and deployments.
“Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.”
How can companies avoid exposing their data?
As a basic step to avoid data leaks, we recommend taking advantage of native cloud capabilities. Ensure that you prevent unauthorized access, and are always purposefully using the cloud provider’s storage access policies to define access to the objects stored within. Training is critical. Make sure your team knows not to open access to the public, unless absolutely necessary; and that they understand that incorrectly configured policies can result in the exposure of PII and other sensitive data.
The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency protects against a breach. This is why an investment in a cloud management platform is a vital additional step.
Interested in learning more? Speak with a DivvyCloud expert today!
Watch DivvyCloud’s 60 second video to learn how we help customers like GE, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.