PCR’s (UK) Top 10 Biggest data breaches of 2020
PCR is a leading information source for IT resellers and distributors in the United Kingdom. It reports its top 10 based on the number of records breached in the incidents selected. They cite the Risk Based Security Report to observes that nearly 3K breaches were reported just for Q1 2020, and the number records exposed at 36 billion (for the whole year of 2019, “only” 15 billion records were exposed). Here’s their top 10 list with some annotations and reflections, in ascending order by number of records breached:
10. Unknown source (201M): In January, 2020, security researchers found a database containing over 200M sensitive personal records online. The compromised host was on the Google Cloud Platform, so though the source or owner of the data remains unidentified, there’s no disputed that this collection of US personal and demographic data has a definite cloud connection. After Google was alerted to the matter, it took the server down over a month later.
9. Microsoft (250M): In January, 2020, MS itself reported a data breach on servers storing customer support analytics in its Azure Cloud. The records involved included email and IP addresses, plus support case details, stored on 5 ElasticSearch services, inadvertently disclosed owing to misconfigured security rules.
8. Wattpad (268M): In June, 2020, records belonging to this Canadian website and app for writers used to publish user-generated stories and text were exposed (later reports raise the count to 271M records). Malicious actors compromised the company’s SQL database which contained account information, email and IP addresses, and other personal data. Reports on this breach do not mention a specific cloud connection, but the site’s current DNS information appears to show it is hosted by Amazon Web Services (a definite cloud connection).
7. Broadvoice (350M): A US provider of Voice over IP (VoIP) services to business, October, 2020, reports confirm exposure of 350 million customer records from this company. Data disclosed includes names, phone numbers, and call transcripts, including calls to medical and financial services providers. Owing to a configuration error, security researchers were able to access ten of the company’s databases without providing access credentials. Broadvoice changed the configuration and notified relevant legal authorities. It’s not clear that these databases were cloud-based, though it’s hard to imagine a VoIP company NOT doing business in the cloud.
6. Estée Lauder (440M): In January, 2020, the company had an unprotected, unencrypted content management database containing 440M internal records exposed online. Information exposed included email and IP addresses, internal documents, and information related to the company’s education platform. No obvious cloud connection appears in breach data, this breaking story from Forbes magazine, nor in esteelauder.com DNS data.
5. Sina Weibo (538M): In March, 2020, the largest Chinese social media platform – cloud-based, of course – leading to exposure of details for over 538 million users on the dark web, purportedly obtained from a SQL database dump.
4. Whisper (900M): The popular secret-sharing, web-based Whisper app disclosed over 900 million user records. Data exposed included anonymous user confessions and related metadata (such as location coordinates and more) were publicly accessible in an unprotected, unencrypted database. At least one class action suit has been filed against the company, alleging unwanted and unauthorized disclosure of sensitive personal information. With 250 million users across 187 countries in 2017, Whisper is surely cloud-based.
3. Keepnet Labs (5B): This UK-based cybersecurity firm (!) experienced a breach when a contractor temporarily exposed a database containing five billion email addresses and passwords from previous data breaches. As with the Microsoft item, this involved an Azure-based ElasticSearch database. According to PCR: “it was migrating the ElasticSearch database and disabled the firewall for about 10 minutes to speed up the process.” This was enough time for security researchers to access this unprotected data.
2. Advanced Info Service (8.3B): This is Thailand’s largest GSM mobile phone service, which had to take down one of its ElasticSearch databases after a security researcher found an open, unprotected database containing 4TB of Internet usage data (8.3 billion records’ worth). Information disclosed included DNS queries and Netflow data, easily used to map users’ Internet activity. There’s the Azure cloud connection, yet again.
1. CAM4 (10.88 B): Another big incident from March, 2020, in which adult video streaming website CAM4 learned an unprotected ElasticSearch server was leaking 7TB of data (nearly 11B records). Information exposed included names, email and IP addresses, password hashes, chat and email transcripts, and payment logs.
Lesson Learned, Customer Burned
Several morals emerge from this story. Interestingly, it appears that configurations for ElasticSearch databases are incredibly important to check. It plays a role in nearly half (4) of these 10 incidents, 3 of which involved deliberate and temporary or accidental situations where the database was unprotected, open to anyone who found it. It’s hard to say when other unencrypted, unprotected databases are discovered by security researchers if these were exposed by accident or by malicious design from some unknown actor in-house (this seems to apply for most of the remaining breaches covered here). This moral should read: Make sure your databases are protected and encrypted, with regularly audited access controls to make sure only those with proper authentication and credentials can access them.