49 million user records from US data broker LimeLeads put up for sale online | ZDNet
Data from an exposed LimeLeads Elasticsearch server ends up on a hacking forum.
In yet another instance of unsecured personal data exposed online, it was reported that 49 million user records from US data broker LimeLeads were put up for sale on an online hacking forum.
Jonathan Deveaux, head of enterprise data protection at comforte AG:
“Ever wonder why you may be seeing more spam and phishing emails popping up in your work-domain email? Data breaches and exposure incidents like this could be the reason. It’s easy to assume that ‘data in the cloud’ and ‘ElasticSearch’ databases are the reason for the data breaches; both have been found in other large-scale data breaches reported in 2018 and 2019. However, cloud and databases are infrastructure technologies, and applying truly effective data security goes beyond the act of turning on infrastructure security. In this particular case, not only did this company fail to set up access security for the internal server that contained this data, the company also failed to encrypt or tokenize the data itself. Encryption and tokenization are actually more important than access security, because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. The encrypted or tokenized data could not be listed for sale on the dark web because the data would be undecipherable. The takeaway should be – “If you collect it, protect it.” Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.”
Elad Shapira, head of research at Panorays:
“It’s a new breach, but not a new story. Once again, we see how a lack of proper security controls can result in massive data exposure. In this case, LimeLeads neglected to set up a password for an internal server, which would have prevented 49 million user records from being lifted and sold online. Most concerning, however, is the impact that this breach has on the companies and contacts that were part of that stolen data, who can now be targeted for spear-phishing attacks. The takeaway from this, as well as from the many similar data exposure incidents, is clear: organizations must assess and continuously monitor the security of their own data—as well as the data used by their business partners—and be vigilant about how sensitive information is stored.”