2.8M CenturyLink customer records exposed on misconfigured cloud database
Some 2.8 million customer records have been exposed online by communications firm CenturyLink Inc. in the latest case of a company failing to secure an online database.
Discovered and publicized Friday by security researcher Bob Diachenko and researchers at Comparitech Ltd., the MongoDB database included application programming interface logs with customer information. The customer information included name, email address, phone number, physical address, CenturyLink account number, notification logs and conversation logs.
CenturyLink was informed of the misconfigured database Sept. 15, securing it two days later. There’s no evidence at this time that it was accessed by nefarious actors, but the report noted that the database was first indexed by the Shodan search engine on Nov. 17, meaning that it sat exposed for 10 months, allowing potentially anyone to access it.
In a statement to Comparitech, CenturyLink said that it was “conducting a thorough investigation of the incident” and was in the “process of communicating with the affected customers.” Although the data wasn’t considered highly sensitive in nature because there was no banking information or Social Security numbers in it, it’s still valuable to criminals.
“Over the last few months we have witnessed several companies make the simple mistake of leaving a database publicly accessible,” Anurag Kahol, chief technology officer or cloud access security broker Bitglass Inc., told SiliconANGLE. “Unfortunately, this CenturyLink incident is yet another example of highly sensitive consumer data left exposed because of a simple security mistake. This type of personally identifiable information can easily be used to launch phishing attacks against those impacted, and leaves them vulnerable to identity theft and other forms of fraud well into the future.”
Chris DeRamus, co-founder and chief technology officer of cybersecurity firm DivvyCloud Corp., emphasized how common this type of breach is.
“It was just earlier this year when security researchers discovered Verifications.io’s unprotected, publicly accessible MongoDB database, exposing nearly 809 million records containing employee and business data,” DeRamus said. “Within every company, data is king and collecting, storing and leveraging data is essential to running a business effectively.”
DeRamus added that companies must ensure proper security not only in their own information technology environments but also among their partners, vendors and other connected parties.
Photo: Jelson25/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU