UPDATED 23:01 EDT / JULY 21 2020

SECURITY

Family Tree Maker exposes records online via unsecured Elasticsearch database

Another day, another data breach involving misconfigured and unsecured cloud storage, and today’s episode involves Family Tree Maker, a genealogy service from The Software MacKeiv Co.

Discovered by security researchers at WizCase, which published its findings Monday, the data was found on an open and unencrypted Elasticsearch server. The data include some 60,000 email addresses, internal system user IDs, subscription type and its status, refunds, timestamps, user location data, IP address, user support messages and technical data.

It also included 25 gigabytes of data mirrored from Ancestry.com LLC. Although Software MacKeiv is a separate company to Ancestry.com, the most popular family history service provider, the security researchers noted that there’s a link between the two companies since Family Tree Maker was previously owned by Ancestry.com.

The researchers informed Software MacKeiv of the data breach and the database was taken offline, but the company has not commented on the breach. The exposed data, if it has fallen into wrong hands, could result in Family Tree Maker users getting targeted by identity fraud and phishing attacks.

“As the Family Tree Maker scenario clearly displays, security administrators need to move beyond reinforcing their perimeter boundaries and access mechanisms,” Trevor Morgan, product manager at data security specialist at data security firm comforte AG, told SiliconANGLE. “Had this highly sensitive personal data been tokenized in the Family Tree Maker environment, none of it would have had the potential to compromise individual users. This type of preventative helps keep organizations within compliance regulations and helps to avoid other liability-based repercussions.”

Pravin Kothari, founder and chief executive officer of cloud security specialist CipherCloud Inc., thinks these types of configuration errors will continue.

“Beyond taking an automated approach to enforcement of cloud security and compliance best practices, you really need to emphasize a data-centric approach,” Kothari said. “Many practitioners are focused so heavily on identity management that they may overlook the need to combine identity, configuration and data security practices. The organizations that we see having success in preventing these incidents are extremely focused on protecting cloud data at the source. You have to work really hard to know where all the data lives and enforce the right policies.”

Image: Family Tree Maker

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.