Communications provider Voipo left a customer database exposed revealing tens of gigabytes worth of customer data including personally identifiable information.
Independent researcher Justin Paine discovered the improperly secured ElasticSearch database belonging to the voice-over-internet provider firm which containing nearly seven million call logs, six million SMS/MMS message logs, and plaintext internal system credentials including unencrypted passwords, according to a Jan. 15 blog post.
The databases contained message and call logs dating back to May 2015, and because the database wasn’t password protected, anyone could see streams of real time call logs and messages sent between users.
The information was exposed between June 3, 2018 and Jan. 8, 2019 when it was discovered and subsequently pulled offline. Many security professionals have already criticized the firm’s neglect.
AttackIQ Chief Technology Officer and co-founder Stephan Chenette told SC Media it doesn’t take much for outsiders to find unsecured databases and access sensitive information and that there are several tools available to help detect misconfigurations within cloud-tools like Amazon's S3 servers.
“Data leaks of any kind can undermine customer confidence and are usually caused by security issues, or in Voipo’s case, technical errors, that are easily preventable,” Chenette said. “Unauthorized exposure of any type of customer data, for any period, is a serious issue and organizations should always have a plan to continuously assess the viability of their security controls.”
Experts agreed, Bitglass Chief Managing Officer Rich Campagna described the exposed database as as inexcusable.
“Voipo is yet another example of a company that exposed massive amounts of sensitive consumer data because of a simple security mistake,” Campagna said. “Leaving a database publicly accessible is unacceptable – even smaller companies with limited IT resources must ensure that they are properly securing data.”
Voipo chief executive Timothy Dick confirmed the data exposure with TechCrunch, adding that this was “a development server and not part of our production network.” Paine told the publication he disputes these claims, given the specifics and amount of the data exposed in the database.