The University of Chicago Medicine exposes the personal info of over 1.5m donors

An Elasticsearch database containing the personal information of potential and existing donors, was found open and unprotected on the Internet.

The exposed database was discovered by Security Discovery researcher Bob Diachenko on May 28. When investigating the exposed data, Diachenko identified that the 34GB-sized ElasticSearch cluster named ‘data-ucmbsd2’ contained 1,679,993 records.

The records contained personally identifying information including:

  • Full name
  • DOB
  • Full address
  • Phone number(s)
  • Emails
  • Gender
  • Marital status
  • Wealth info and current status
  • Communication notes

Diachenko successfully discovered the owner of the database, the University of Chicago Medicine, and within 48 hours of being notified, the database was secured.

Previously Diachenko has stressed the dangers of having an exposed Elasticsearch database. Diachenko wrote:

“I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the ES servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.

“Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

In a public statement the University of Chicago Medicine wrote:

“We are conducting a comprehensive forensic investigation and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database. The researcher confirmed that he never downloaded the full database and only accessed a limited number of records.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.