A non-password protected database containing a total of 198 million records and 413GB of data was discovered on August 19.
Security researcher, Jeremiah Fowler, had come across the dataset several times but was unable to identify the owner. The dataset was “a compilation of potential car buyers wanting more information, loan and finance inquiries, vehicles that were for sale, log data with ip addresses of visitors and more.”
Many of the websites within the database appeared to be a variety of lead generation sites and smaller “possibly” independent dealerships. Fowler explained that initially he thought the database was a director, however there was so much detailed information and back-end records it just couldn’t be.
It wasn’t until manually reviewing multiple domains that Fowler discovered that the database linked back to Dealer Leads. Upon his discovery, Dealer Leads were immediately notified. The following day, August 20, Fowler confirmed that the database was still publicly accessible and called the company about the data exposure since the emails were unsuccessful.
Shortly after the notification all public access was closed.
Through his investigation Fowler had discovered the Elastic database had been set to open and visible in any browser, and that anyone with an internet connection was able to access the data without administrative credentials.
The 198 million records included names, addresses, emails and IPs.
Although Dealer Leads acted fast and restricted public access immediately after being notified, it is unknown as to how long the data was exposed for and who had access to the records.
According to Fowler, it is unclear if Dealer Leads had notified the authorities and individuals about the data incident. 3
“This is another wake up call for any organization that collects and stores large amounts of data. It is crucial to ensure that the proper safeguards are in place. Data protection and privacy are now becoming a core part of the business landscape and there is a growing shift where more and more people realize that customer data is just as important as the products or services,” said Fowler.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/