Skip to content

Data Left Behind?

Set of padlocks with one unlocked

vpnMentor’s research team recently (April 2019) discovered a hack affecting 80 million American households. Nothing new here. Just another massive data breach. Many new and many of the same people affected. Lets wait for the apology and move on……

However this time it’s a little different. There is a data security story with a twist.

Cybersecurity hacktivists Noam Rotem and Ran Locar discovered an unprotected database impacting up to 65% of US households. This is hosted by a Microsoft cloud server. The data base includes the number of people living in each household with their full names, their marital status, income bracket, age, and more.

So again – let us OUT the “corporate” stupid enough to leave it unprotected. This case is another step towards our trust dwindling a little bit more….. How much trust do you have left?

The research team is on the look out for these issues, they are looking after joe public interests by undertaking a huge web mapping project. They use port scanning methods to examine known IP blocks. This reveals open holes in web systems, which they examine for weaknesses and data leaks.

Usually, they can identify the company or person who owns the data base and they reach out to the owner to report the leak, and where possible, alert the people affected.

Their aim here is to build a safer and more protected internet, more power to them.

BUT, this time it’s different. Whilst the database includes identifying information for more than 80 million households across the United States, directly impact hundreds of millions of individuals. They cannot directly actually identify who set up the database and who is responsible for it.

Wait? …..What? You mean you can set up a Db on the cloud and not have it linked to you? You can get free space? This is a serious issue – lazy corporates who copy data for testing, PoC’s etc just setting it up and then leaving it behind after the project moves on or fails….no clean up.

It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.

vpnMentor started calling on the public to help identify the database and close the leak. As an update of 30th April 2019 the database is no longer open to the public. Phew.

Following the publication of the vpnMentor report, Microsoft took the server offline. In a statement, Microsoft said, “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured”. Microsoft has not revealed who owns the database.

This breach should to be fully reported. How can risk be tracked and identified if the company is allowed to get away with this? On their Cyber Policy renewal what would they say I wonder? We agree with vpnMentor – The 80 million families listed here deserve privacy. Help Them Here.