Some 2.8 million customer records have been exposed online by communications firm CenturyLink Inc. in the latest case of a company failing to secure an online database.

Discovered and publicized Friday by security researcher Bob Diachenko and researchers at Comparitech Ltd., the MongoDB database included application programming interface logs with customer information. The customer information included name, email address, phone number, physical address, CenturyLink account number, notification logs and conversation logs.

CenturyLink was informed of the misconfigured database Sept. 15, securing it two days later. There’s no evidence at this time that it was accessed by nefarious actors, but the report noted that the database was first indexed by the Shodan search engine on Nov. 17, meaning that it sat exposed for 10 months, allowing potentially anyone to access it.

In a statement to Comparitech, CenturyLink said that it was “conducting a thorough investigation of the incident” and was in the “process of communicating with the affected customers.” Although the data wasn’t considered highly sensitive in nature because there was no banking information or Social Security numbers in it, it’s still valuable to criminals.

“Over the last few months we have witnessed several companies make the simple mistake of leaving a database publicly accessible,” Anurag Kahol, chief technology officer or cloud access security broker Bitglass Inc., told SiliconANGLE. “Unfortunately, this CenturyLink incident is yet another example of highly sensitive consumer data left exposed because of a simple security mistake. This type of personally identifiable information can easily be used to launch phishing attacks against those impacted, and leaves them vulnerable to identity theft and other forms of fraud well into the future.”

Chris DeRamus, co-founder and chief technology officer of cybersecurity firm DivvyCloud Corp., emphasized how common this type of breach is.

“It was just earlier this year when security researchers discovered Verifications.io’s unprotected, publicly accessible MongoDB database, exposing nearly 809 million records containing employee and business data,” DeRamus said. “Within every company, data is king and collecting, storing and leveraging data is essential to running a business effectively.”

DeRamus added that companies must ensure proper security not only in their own information technology environments but also among their partners, vendors and other connected parties.

Photo: Jelson25/Wikimedia Commons