Misconfigured ElasticSearch Server at University of Chicago Medicine Impacts over 1.68mRecords

It has been revealed that University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed due to a misconfigured server.

The records were saved on a misconfigured ElasticSearch server which had mistakenly had protections removed allowing it to be accessed over the internet without the requirement for any authentication. The misconfiguration permitted a database to be accessed which included 1,679,993 records of donors and prospective donors.

The exposed database was noticed by Security Discovery researcher Bob Diachenko on May 28. Diachenko had carried out a search using the search engine Shodan to find unsecured databases. Even though awareness has been increased following the discovery of a large number of exposed ElasticSearch instances and other NoSQL databases in recent times, Security Discovery researchers are still finding between 5 and 10 ‘big cases’ of unsecured databases every month.

The most recent find was a sizable cluster containing 34GB of data. The cluster, named data-ucmbsd2, had been indexed by Shodan and could be logged onto via the internet by anyone. The database contained a variety of information including names, addresses, phone numbers, email addresses, dates of birth, gender, marital status, wealth information and current financial status, and notes about previous communications.

Diachenko found that the data was owned by UC Medicine and sent a notification and the ElasticSearch instance was secured within 48 hours.

UC Medicine has released a statement confirming a comprehensive forensic investigation was completed, which determined the database was not victim of an unauthorized access by anyone other than Diachenko. Diachenko confirmed that he only accessed some of the records to determine who they owned by and did not download the database. Fortunately, the window of chance was small. Diachenko found the database one day after it had been indexed by Shodan.

ElasticSearch instances should be set up to ensure that they are only accessible over an internal network and authentication controls should be enabled to ensure only authorized individuals have access. Misconfigurations do not only put data at risk of being stolen, there have also been instances where the lack of authentication has permitted hackers to encrypt databases using ransomware or even completely erase all stored data.

Author: Security News