In another case of an incorrectly configured online database, an online casino group has compromised the information of 108 million bets.

The data was exposed via a misconfigured Elasticsearch database, according to a report today from ZDNet. The breach included data from sites such as kahunacasino.com, azur-casino.com, easybet.com and viproomcasino.net.

The companies weren’t named, but a quick search online finds that one of the sites, Easybet, is owned by TGI Entertainment NV, a company registered in Curacao. Another is owned by Mountberg Ltd., a Cyprus registered company. The data leaked included customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more.

Mark Weiner, chief marketing officer at Balbix Inc., told SiliconANGLE that the breach is yet another example of a common trend: a company leaving a server and critical information unsecured without any password protection. That’s the cause of many recent leaks such as the VOIPo and Oklahoma Securities Commission’s latest incidents.

The data, he said, could be used by malicious actors as a part of a phishing scam to target those who recently won large sums of money. The fortune thing is that the exposed payment card data was partially redacted, meaning users didn’t have their full financial information exposed.

“Organizations must understand that proper, organization-wide cybersecurity is no longer a human-scale task, and it is mathematically impossible for people alone to constantly monitor and assess all IT assets and infrastructure to stay ahead of 200-plus attack vectors for potential vulnerabilities,” Weiner explained. “Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.”

Rich Campagna, chief marketing officer of Bitglass Inc., said leaving a server publicly accessible is unacceptable no matter the size of the company, involving methods such as data loss prevention, user and entity behavior analytics and encryption of data at rest.

“Companies that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive – not to mention the cost of losing the trust of their customers,” Campagna added. “In fact, Google was just fined $57 million by CNIL, the French data protection watchdog, for failing to comply with GDPR’s transparency and consent laws.”

Carl Wright, chief commercial officer at AttackIQ Inc., added that nearly all these instances could have been prevented if the organizations understood that their security stack was misconfigured.

“It is time that enterprises test their respective security posture proactively rather than waiting for cyber attackers to thwart any existing, or lack of, cyber defense,” Wright said. “There is no excuse for deploying security controls that are not properly configured, therefore resulting in protection failures.”

Image: Easybet