What was reported earlier this week as only two Elasticsearch database misconfigurations that left millions of bets and thousands of personal records exposed has evolved into a trove of disclosures involving more than 24 million banking and financial records at several organizations, including Bancolombia, according to security researcher Bob Diachenko.
As the week has progressed, Diachenko has revealed the names of different organizations that were part of his Elasticsearch discovery, including Citi and Ascension, a data and analytics company. Today, Diachenko has revealed his exchange with yet another company, Bancolombia, whose database misconfigurations left records exposed.
In an email to Infosecurity, Diachenko wrote:
To discover data breaches, leakages, and vulnerabilities on the Internet, we at SecurityDiscovery.com use public search engines only, such as Shodan, Censys etc. When we find a public database (data that’s fully accessible to anyone without any restrictions) we collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, we employ a Responsible Disclosure model to privately communicate the findings with data owners (the company or organization that left the information publicly accessible) and help them implement specific security safeguards to protect their private data.
On Nov 29th I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information (credit cards details) was related to Bancolombia, so I decided it would be the quickest possible solution to prevent this data from being stolen and report the incident directly to bank authorities.
Shortly after I contacted Bancolombia, instance has been secured (Nov. 30) and on the next day I was contacted by a representative of a company that managed the data, Waumovil, who thanked me for the heads up and said that "unfortunately we had some open ports that I was not aware”.
In an attempt to get ahead of what has been dispersed on social media, Bancolombia responded to Diachenko, asserting that none of its systems had been compromised but that the information was “stolen at trade,” according to a translation of the statement.
"We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cyber-criminals to manage the entire system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains," Diachenko said.
"Although the company reacted fast to secure their data it is unclear how long it may have been publicly available or who else might have accessed the files. Data privacy and data protection laws like GDPR are a good first step but companies and charities need to be proactive when it comes to data protection."