Open Elasticsearch instance had data on Canadian immigrant applicants: Researcher

Finding exposed Elasticsearch servers has become great sport among some security pros. Canadian researcher and consultant Darryl Burke recently came across two more, one of which held sensitive personal information of Middle East residents looking to immigrate to Canada.

Using a research tool he created for finding unsecured databases, last month Burke found an exposed Elasticsearch database belonging to an immigration consulting company in the United Arab Emirates (UAE), where a knowledgable person could have found data of applicants including their names, passwords, emails, photocopies of passports and other material.

Burke notified the company by email May 13 as well as someone he knows at the UAE’s computer emergency response (CERT) team. The database was secured May 25.

More recently he found a Vietnamese outsourcing company had left an Elasticsearch server open with exposed personal information on about 6,000 people in its database of freelancers, as well as links to an unsecured Amazon S3 cloud storage instance with more sensitive documents.

The incidents are proof that IT pros aren’t careful enough in securing their technology, Burke said in an interview.

“One of the emails that was exposed [from the UAE immigration firm] was between it and their IT individuals that said, ‘Make sure you secure the database ports and the Web ports,’ but they missed the Elasticsearch side of it,” he said.

Elasticsearch is an open source analytics search engine organizations use to hunt through their data. What many companies don’t realize, Burke said, is that it keeps a cache of data it indexes. If the Elasticsearch server is open to the Internet but not secured with a username and password — and, ideally, two-factor authentication — then that data is open to an attacker.

He estimates the UAE company had over 800,000 records exposed.

“I’m going to guess they hired out the development or customization this software to a third party, because it doesn’t appear they had those skills in-house, and as part of that development they did the default installation of Elasticsearch. It’s not direct access to the underlying database, which was secured. But Elasticache does keep a copy of the indexed data that it pulls out of the database [and] that is exposed.”

Elasticsearch B.V. fixed this and other problems in its latest releases.

“You need to treat Elasticsearch like a database in that it does create copies of your underlying data,” Burke said. “They need to ensure it is secured with username and password, uses encrypted communications like TLS, and they are keeping up to date with the latest version of the software.”

Any company that handles personally identifiable information on servers open to the Internet should have an independent security audit of all its technology and architecture once a year, he added, to ensure the design is secure.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now