What is the Issue?
On June 27th, an unprotected database belonging to a marketing firm containing 340 million records exposed to the internet was discovered. The database was found by an independent research firm.
Why is this noteworthy?
The unprotected database was over two terabytes in size and contained up to 150 fields describing an individual. These fields included personal identifiable information, such as addresses, phone numbers, email addresses, number of children, hobbies, religion, mortgage company and credit rating. The database did not contain any social security numbers or credit card numbers. Data breaches and leaks are still regularly occurring incidents affecting companies such as Under Armour this year and Uber and Equifax in 2017.
What is the exposure or risk?
The database was exposed and accessible without credentials for around two months. The affected company shut off access to the database immediately after they were notified about the issue. It is unclear how many individuals viewed the database in that time. The database did not contain any social security numbers, credit card or bank information. The biographical and contact information that was present in the database can be used for spam and/or fraud.
What are the recommendations?
According to the National Institute of Standards and Technology (NIST) “Breaches involving personally identifiable information (PII) are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs.” Best practices should always be used when storing and protecting personally identifiable information of any individual.
Below are some of best practices from NIST SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) as well as a link to the full publication.
- Categorize PII by a PII confidentiality impact level such as low, medium and high.
- Develop an incident response plan to handle breaches involving PII.
- Develop comprehensive policies and procedures for handling PII such as Access rules for PII within a system, Limitation of collection, disclosure, sharing, and use of PII and Storage and retention of PII.
- Collect the minimum amount of PII that is necessary to conduct its mission.
- Limit access of PII to only those who need it to perform their jobs.
- Monitor access to PII by using audit logs.
If you have any questions, please contact our Security Operations Center.