An unsecured cloud database containing the personal information of over 80 million US households was discovered by security researchers last week, exposing the data to anyone who knew the IP address of the system. The owner of the unprotected database remains unknown at this time, but the contents focused on adults over the age of 40. The database did not contain Social Security numbers or financial information, but did contain an assortment of potentially sensitive personal information including home addresses, age and estimated income.
Security researchers Noam Rotem and Ran Locar of virtual private network (VPN) testing service VPNMentor located the unsecured cloud database during an ongoing web mapping project that automatically port scans blocks of IP addresses. The researchers revealed in a blog post that they did not find any information about who the database belonged to, but did determine that it was hosted by Microsoft. Microsoft was able to contact the database owners and it has since been taken offline. It is unknown how long the database was online and who might have accessed it during that time, however.
What was in the unsecured cloud database?
Though the unsecured cloud database didn’t include the “keys to the kingdom” in terms of Social Security or credit card numbers, it held everything else that an aspiring identity thief would need.
The database contained the full name of each member of each household over the age of 40, with extremely granular information about their location (exact longitude and latitude coordinates of the home in addition to the street address). Each subject’s date of birth and current age was also in plain text. Coded information included gender, marital status, income bracket, type of home occupied and homeowner status.
In addition to providing comprehensive supporting information for identity theft, this information makes it easier for phishing scammers to drill down and build a profile on potential targets.
Whose database was it?
The identity of the owner of the unsecured cloud database makes for a very interesting mystery. Since it was on a cloud server, it can’t be traced back to the owner’s IP address. Microsoft notified the owner, but no information about them has been released to the public.
Tim Erlin, VP, product management and strategy at Tripwire, provided the following comments:
“Unfortunately, this type of breach is no longer unusual, but it is unusual to not know who owns the exposed data. Until we understand who the owner is, we’re limited to generalizations about this exposure.
“It’s clear, after so many incidents, that organizations do not have control over access to their data stored in the cloud. It’s not for a lack of tools, but a lack of understanding and implementation of the available tools. If you are storing data in the cloud, you can and should be able to audit the access permissions for that data on a continuous basis.”
The data stored is consistent with what a larger mortgage or insurance company would have, but the researchers at VPNMentor noted that key information that is common to databases of that type (such as policy numbers and payment information) was not present.
The fact that it is limited to adults aged 40 or older and does not include information about any younger persons in each household should greatly limit the scope of possibility, yet it is still not at all clear who the database belonged to.
VPNMentor is soliciting public assistance to help identify the owner of the unsecured cloud database. Some interesting possibilities floated by commenters include:
The American Association of Retired Persons (AARP), which allows people to join at age 50 and has been known to aggressively target Americans with unsolicited postal mail advertising as they approach that age
A marketing agency for funeral directors and embalmers
A social media company
A scam operation that targets older Americans
Whatever the case, it is extremely unlikely the owner will publicly take responsibility for the unsecured cloud database if there is no legal obligation to do so as it would be avoidable bad PR.
What can people do to protect themselves from an unsecured cloud database?
Complete security lapses like these are tough on the average consumer. Much of this data is collated from public sources, such as public records and information that people voluntarily post on social media.
Some comes from data that is shared without full understanding of what is being done with it. United States data disclosure laws are not nearly as robust as those seen in the EU and elsewhere, and consumers are not always aware how much of their personal data is being sent by companies they trust with it to data brokers. These data brokers, in turn, are not required to disclose what they have collected or who buys it from them. The end user may have some right to opt out of their data collection, but are required to contact each broker individually to do so.
Consumers that generally practice good data security hygiene can thus still find their information stored in a cloud service such as the one that was compromised. It is then a matter of how well the company secures it; in this case, it did not even require a password to access. This is hardly the first incident of this nature. These incidents are often simply a matter of misconfiguration, or even a lack of technical knowledge leading to an assumption that the unsecured cloud database can’t be accessed by anyone outside the company.
The most viable solution to this is stronger data privacy laws that require companies to secure sensitive personal information properly, and that provide for significant fines when they do not do so. The current situation, in which this unnamed company will likely get away scot-free after putting some 65% of America’s households at financial risk, does not incentivize data holders to practice proper cyber security.
“Yet again we see very private data being exposed, for a large percentage of US households, including name, full address, age, date of birth, and other personal information. This alone could be the basis for massive identity theft. There are laws in most states to protect consumers against this type of careless breach, and there should be a national law. This data was stored in a public cloud. Cloud data protection needs to be taken seriously to prevent this type of breach. Enterprises need to properly encrypt data in the cloud, including encrypting it from its point of creation or collection. They also need to protect data with access policy so that only authorized entities can retrieve it, and report on any unauthorized access so that the data can remain secured.”
Safely navigating the multicloud
At the moment, it’s impossible to know if any bad actors took advantage of this data breach before the people at VPNMentor located it and got it taken offline. What we do know is that security researchers are not the only ones out there scanning masses of IP addresses to catalog unsecured databases. It is vital for companies to understand that anything they connect to the internet will be scanned and tried by some sort of threat actor, and most likely within several hours.
“It is very unsettling to see so much sensitive data exposed to anyone with a computer and an internet connection. There are several services that continuously scan the internet these days, so it takes very little time for anything unprotected on the internet to be discovered. On a good day, the exposure is detected by a white hat researcher that alerts the owner, but on other days, threat actors do since they have access to the same capabilities as the good guys.
“This kind of exposure seems to me the result of a shift to multicloud that is done by people who do not understand what they have embarked on, or who do not have the tools to perform this journey to the cloud safely. Since the data exposed is hosted on a public cloud provider, I can only guess it is the work of some shadow IT, where a group or individual believed the data was safely stored when it wasn’t.
“The journey to multicloud is happening and there is no going back. The risks of not properly securing your multicloud environment are very serious though and I strongly recommend every company today engages with partners who understand networking, who understand the cloud and who can provide advice and solutions that will make that transition seamless and secure.”
Simply having an IP address that is not known outside of the company is not enough to secure the data, as this unsecured cloud database incident aptly demonstrates. If the cloud server hosting the data is not password-protected or properly secured, businesses should expect it to be compromised the same day it goes online.