According to a TechCrunch article, an independent security researcher found a database exposed to the Internet with no password protection containing millions of banking and financial documents including mortgage and tax documents. The article does an excellent job of detailing the findings and the sources but there are a few important things that we can take away from the incident.
Your data is out there. Whether it’s this leak, the recent Starwoods Suites / Marriott breach, the Equifax breach or some other breach, it’s naive to believe that your data isn’t “out there”. With that in mind, it’s crucial that we take protections to mitigate the damage that attackers can do with the data that they have. Use separate, unique passwords for everything so that one leaked password doesn’t grant complete access to everything you have. Use multi-factor authentication anywhere that it’s available. Be mindful of potential attacks using your information (a suspicious email claiming to be from your bank, a suspicious phone call claiming to be the medical billing provider for your doctor, a suspicious phone call claiming to be with your financial institution, etc.).
Your IT is likely doing a phenomenal job, but an extra set of eyes can never hurt. In this case, I’m certain that no one made conscious decision to to leave a production database containing millions of sensitive documents (and, subsequently, another copy of the production database) exposed to the Internet without a password. Hiring a third party to regularly test your environment via vulnerability assessments or penetration testing can allow that trusted third party to identify the vulnerability and notify you before a threat actor is able to exploit it for their own malicious benefit.
Piratica works with organizations to identify vulnerabilities that could lead to the attacks on the confidentiality, integrity and / or availability of our client’s data and we work with those organizations and their IT support teams to develop a roadmap to mitigate or minimize the risk that a successful threat actor could pose by successfully exploiting these vulnerabilities. If you would like more information on the services that we provide, including a free vulnerability scan, let us know.
Misc / Erratta