An unprotected Elasticsearch database exposed at least four million “opportunity applications” for internships at AIESEC, billed as “the world’s largest youth-run organization” with more than 100,000 members in 127 countries.

SecurityDiscovery.com researcher Bob Diachenko of SecurityDiscovery.com, found the information, which included email addresses, full names, birth dates and gender as well as an in-depth description of applicants’ reasons for applying for the internships as well as details from interviews, according to a SecurityDiscovery.com blog post.

“Merry belated Christmas, millennials. By the way,your data was exposed,” said Jonathan Deveaux, head of enterprise data protection at comforte AG. “Of the four million intern applications unprotected, a company rep claims only 40 of the records were actually exposed. No matter what the count is, it just goes to continue prove a major point… companies all around the world are not all protecting personal data.”

Diachenko reported the findings to AIESEC, which responded quickly, explaining that the data had been “cached on the node for testing purposes and mistakenly left unsecured,” and assuring researchers that the server no longer contained sensitive data.

“The vulnerability arose from a misconfiguration that was introduced into the Elasticsearch servers while evaluating certain improvements for the cluster as part of a current infrastructure improvement project we are running,” SecurityDiscovery.com cited an AIESEC spokesperson as saying. “We started work around 20 days ago [prior to Jan 11th, when notification was sent. – Bob Diachenko’s note], so this is around when the misconfiguration was introduced.”

The organization said it had “already contacted the data protection authorities and the affected users as per GDPR protocol.”

While the “company is a non-profit organization, GDPR fines may still apply,” said Deveaux, noting that when personally identifiable information (PII) is written to a database or file, organizations could prevent exposure by simply applying some basics.  “If ‘Taylor Smith’ was tokenized and protected as “FSLIDB ZPMDQ” we wouldn’t be having this issue.” 

Lucy Security CEO Colin Bastable said that although GDPR penalties do “apply to the global revenues of virtue-signaling non-profits just as much as they do to their virtue-seeking corporate sponsors,” he expected AIESEC likely “will get a slap on the wrist, and the IT budget will be invested appropriately in keeping [Global Vice President Information Management] Laurin Stahl out of the IT security press next year.”

Bastable lambasted the organization for not focusing on data protection and investing too little in security. Citing the company’s financial report, he said “AIESEC spent 778,914 Euros on salaries and personnel, but only 29,600 on IT. Possibly, the 218,500 Euros spent on IM and BI (information management and business intelligence) could include IT security, but if so, it was not enough, nor of the right quality.”