Gearbest security lapse exposed millions of shopping orders
Gearbest, a Chinese online shopping giant, has exposed millions of user profiles and shopping orders, security researchers have found. Security researcher Noam Rotem found an Elasticsearch server leaking millions of records each week, including customer data, orders and payment records.
Terry Ray, SVP and Imperva Fellow, said, “Misconfigurations, misconfigurations. Good people doing the best they can in a changing cyber World that’s hard to near impossible to keep up with. Too often, private information is collected, yet the collecting organization doesn’t monitor who has access to the data, when the data is viewed, or whether the data has been stolen. The problem of misconfiguration is generally more common at large companies than smaller ones, where everyone can look at everything. The bigger the company, the harder it is to maintain process. Like Rubrik, the State Bank of India, and others, Gearbest made a similar error leaving an unprotected server housing user data exposed. What we’ve seen — and continue to see — is companies are accelerating their use of technologies more than they’re enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch. The data exposure highlights how modern data repositories have created a fundamental conflict in businesses. The use of modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often requires advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.”