Another Big ElasticSearch Data Leak Rocks China, Raises Global Concerns
Last May, an ElasticSearch server leaked patient and personal information on roughly 85% of Panama’s citizens. Last November, an ElasticSearch server leaked user details of over 57 million U.S. citizens for nearly two weeks before it was shut down.
“Another week, another ElasticSearch misconfigured server. It is clear that those that choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly,” said Anna Russell, vice president of comforte AG.
Adding insult to injury to the China data leak was a public, unsecured ElasticSearch server owned by the Jiangsu Provincial Public Security Department of Chinese province Jiangsu. The department is charged with the security of the public in the province; yet, here they are with a leakage affecting nearly its entire population.
“Orvibo, the company that owns the user database in question, is a cloud platform that supports millions of smart-home devices, meaning that personal data like names, addresses, phone numbers, emails and payment information may be at risk. Other information at risk includes precise geolocations, IP addresses and other location-identifying information,” said Gabe Turner, an attorney and journalist at Security Baron, a research and product review company.
But the two databases weren’t the only things exposed to risk. A misconfigured public-facing Kibana installation, designed to enable users to browse and analyze data, gave anyone full admin rights. A BleepingComputer post inventories the risks and the corrective protections taken.
The problem with ElasticSearch data leaks stems from a lack of built-in protections. There are no password protections or firewalls, for example.
“ElasticSearch has recommendations on how to secure their servers: secure authenticated sign-on, managed users and roles, encryption, layered security and audit logging. These steps should apply to any server, anywhere,” said Dan Tuchler, chief marketing officer at SecurityFirst.
“Because this wasn’t carefully implemented, personal identifying information (PII) data on 58 million Chinese citizens and 33 million businesses have been exposed. It’s good that the Chinese cybersecurity organization CNCERT was responsive and the database was quickly taken down, but the data is already out, with no word of any fines or other repercussions,” Tuchler added.
There’s always been a nagging security concern about public cloud services. But users typically shrug them off thinking the cloud provider will take all the necessary precautions. Certainly, some of them do. But others do not. Providers and vendors need to up their game to make cloud services safer.
“Vendors need to follow the zero-trust or secure-by-default approach in their products to make it much more difficult for these types of incidents to happen,” said Rene Kolga, vice president of product strategy at Nyotron.
In any case, at least in the U.S., the legal burden falls on the data owner, not the cloud services provider. It therefore behooves all organizations to do their due diligence or hire MSSPs that can secure data stored anywhere.
“Just because a product is freely available and highly scalable doesn’t mean you can skip the basic security recommendations and configurations. Beyond ensuring that products and services are correctly deployed and maintained by competent, experienced staff, organizations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised,” said Russell.