Discovered by researcher Bob Diachenko, an Elasticsearch cluster had been left on “public” visibility for at least eight months.
The cluster contained more than 1TB of data, and was found to belong to CEB Inc, a subsidiary of Gartner, a leading information technology research and advisory company.
Diachenko discovered the database on August 14, 2019 and found that the database had been set to public since January 2019. Gartner were immediately notified via email, to which they responded thanking Diachenko for the responsible disclosure.
Gartner secured the database and stated that all the data had been collected from public sources. Over 155 million records containing information including full names, bio, skills, employment records, and email addresses were identified.
Additionally, the presence of an API key further proved that the data wasn’t publicly sourced. The API key could have been utilised by malicious actors to help gain further access inside the corporate network.
It remains unknown if somebody has access the data when set to public, “but the chances are high that this information had been exfiltrated at some point,” said Diachenko.
In a statement, a spokesperson from Gartner said:
“Gartner was recently contacted by a security researcher regarding a database that was inadvertently accessible to the public. After we were notified, we immediately secured the database. The information contained in the database was publicly available data used in demographic trend analysis. No client or other Gartner confidential information was contained in the database. Gartner takes security very seriously and we have implemented additional steps to prevent this from happening again.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.