Family Tree Maker exposes records online via unsecured Elasticsearch database
Another day, another data breach involving misconfigured and unsecured cloud storage, and today’s episode involves Family Tree Maker, a genealogy service from The Software MacKeiv Co.
Discovered by security researchers at WizCase, which published its findings Monday, the data was found on an open and unencrypted Elasticsearch server. The data include some 60,000 email addresses, internal system user IDs, subscription type and its status, refunds, timestamps, user location data, IP address, user support messages and technical data.
It also included 25 gigabytes of data mirrored from Ancestry.com LLC. Although Software MacKeiv is a separate company to Ancestry.com, the most popular family history service provider, the security researchers noted that there’s a link between the two companies since Family Tree Maker was previously owned by Ancestry.com.
The researchers informed Software MacKeiv of the data breach and the database was taken offline, but the company has not commented on the breach. The exposed data, if it has fallen into wrong hands, could result in Family Tree Maker users getting targeted by identity fraud and phishing attacks.
“As the Family Tree Maker scenario clearly displays, security administrators need to move beyond reinforcing their perimeter boundaries and access mechanisms,” Trevor Morgan, product manager at data security specialist at data security firm comforte AG, told SiliconANGLE. “Had this highly sensitive personal data been tokenized in the Family Tree Maker environment, none of it would have had the potential to compromise individual users. This type of preventative helps keep organizations within compliance regulations and helps to avoid other liability-based repercussions.”
Pravin Kothari, founder and chief executive officer of cloud security specialist CipherCloud Inc., thinks these types of configuration errors will continue.
“Beyond taking an automated approach to enforcement of cloud security and compliance best practices, you really need to emphasize a data-centric approach,” Kothari said. “Many practitioners are focused so heavily on identity management that they may overlook the need to combine identity, configuration and data security practices. The organizations that we see having success in preventing these incidents are extremely focused on protecting cloud data at the source. You have to work really hard to know where all the data lives and enforce the right policies.”
Image: Family Tree Maker
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU