Australia-based events planning company Amazingco leaked more than 200,000 records after an Elastic database was left unprotected and accessible by anybody with a browser.
The database, since shutdown, housed 174,000 records in a folder called “Customers,” that a folder contained “names, email, phone numbers, addresses, and notes about the events,” Jeremiah Fowler, the researcher who discovered the database, wrote in a blog post.
Much of the information centered around children’s entertainment and wine tours, including customer feedback and internal notes on events, each “connected to the client’s real personally identifiable data and the files also included internal notes on the clients, their events and any challenges Amazingco’s staff experienced,” Fowler said.
Among the information exposed were “IP addresses, ports, Pathways, and storage info that cybercriminals could exploit to access deeper in to the network,” the researcher explained.
Fowler doesn’t know how long the data was exposed or if it had been accessed, but said it apparently was last indexed May 6, five days before he discovered and reported it to Amazingco.
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone,” said Tim Erlin, vice president, product management and strategy, at Tripwire. “A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet.”
Fowler called his discovery “yet another wake up call for any company large or small who collects customer data and stores it online.”
Contending “it does not matter the customers are software users from around the world or small children at a birthday party in Australia,” he said “the same data protection and privacy safeguards should be taken.”