A Breach-tastic Twenty Four Hours

There have been an overabundance of articles within the past day that highlight organizations which placed an ElasticSearch database in the wild without a password.

• The fine folks at Urban in the UK offered up 309,000 customer profiles.
• Sky Brasil told Urban to “hold my beer” and upped the ante with data related to 32 million subscribers.
• A to-be-officially-confirmed-as-Data & Leads told Sky Brasil and Urban to “hold my beer” and went all out with a multi-week exposure of data related to 57 million US citizens.

While security researchers noted in the respective articles have aided in preventing the further exposure of this data, the lack of any due diligence by the individuals or organizations that provided a smorgasbord of freely available intel for adversaries is incredibly frustrating.  By publishing volumes of data without basic “Day 1” security principles or controls, events that occur due to staff not taking the time to RTFM or to engage with peers that may have experience with a given platform will continue to result in unfettered access to potentially sensitive data.

In events such as those that have transpired with Dunkin’ Donuts and Dell, considerable efforts were required to facilitate access to the noted systems of these respective companies.  These organizations didn’t leave the door wide open as Urban, Sky Brasil, and the to-be-confirmed-as-Data & Leads organizations chose to do with their ElasticSearch solutions.