Unsecured databases continue leaking millions of records

UK ISP and telecom provider Virgin Media has confirmed on Thursday that one of its unsecured marketing databases had been accessed by on at least one occasion without permission (though the extent of the access is still unknown).

The database, containing contact and service details of approximately 900,000 customers, was not technically breached.

“The incident did not occur due to a hack but as a result of the database being incorrectly configured,” Virgin media said. Access to it was not secured and the database was accessible online for 10 months.

There were no financial details or passwords in it, but the potentially compromised information is enough for skilled phishers to mount attacks via email or phone, trying to get the affected customers to give out additional sensitive information that could be used to steal their identity.

Also on Wednesday, Comparitech revealed that, in January, its security research team discovered a similarly unsecured and exposed database with 200 million records containing a wide range of property-related data on US residents.

“The largest portion of the data is a mix of personal, demographic, and property information,” shared Comparitech’s Paul Bischoff.

The records are pretty thorough – they contain individuals’ name, address, email address, age, gender, ethnicity, employment into, credit rating, investment preferences, income, net worth, as well as information on their habits (e.g., whether they travel, donate to charity, have pets, etc.) and about their property (market value, mortgage amount, tax assessment info, etc.).

“The detailed personal, demographic, and property information contained in this dataset is a gold mine for spammers, scammers, and cybercriminals who run phishing campaigns. The data allows criminals not only to target specific people, but craft a more convincing message,” Bischoff pointed out.

Interestingly enough, they were unable to discover who is the owner of the database. As it was hosted on an exposed Google Cloud server, the alerted the company and it was taken offline on March 4.

The problem with data in the cloud

Time and time again, usecured databases hosted in the cloud end up accessed by unauthorized parties due to configuration mistakes.

Eldad Chai, CEO and co-founder of data protection and governance firm Satori Cyber, says that happens because today’s model for data security is completely inadequate for the cloud.

“For years, data has been couched in layers of security, from network security to application security, end-point security to anomaly detection. This approach ensured that gaps were more or less covered and significantly limited the real threat of a data leak. Unfortunately, this layered security approach has failed to be implemented as companies migrate to the cloud—and nothing else has taken its place,” he noted.

“Relying on cloud configuration management alone cannot keep companies safe from data leaks and is many steps short of keeping big data stores safe. It is enough for one employee to replicate a VM housing sensitive data to an environment that is not configured to hold it to bring the whole [thing] down.”

While necessary, cloud configuration management shouldn’t be the last line of data security defense, he says, as it’s not isolated from environment changes, simple to configure and enforce, transparent and universal (running on any environment).

UPDATE (March 9, 2020, 3:23 a.m. PT):

London-based TurgenSec, whose researchers discovered and responsibly reported the unsecured Virgin Media database, has shared more information about what kind of (potentially sensitive) information the database contained.