MongoDB Database Breach – What the Experts are Saying

Brian Krebs of KrebsOnSecurity reported this week about “tens of thousands of personal and possibly proprietary databases that were left accessible to the public online have just been wiped from the Internet, replaced with ransom notes demanding payment for the return of the files. Adding insult to injury, it appears that virtually none of the victims who have paid the ransom have gotten their files back because multiple fraudsters are now wise to the extortion attempts and are competing to replace each other’s ransom notes.”

An ill-configured database platform, which Krebs has reported on in the past, appears to be the target. Krebs goes on, “At the eye of this developing data destruction maelstrom is an online database platform called MongoDBTens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them.”

Here is what industry experts are saying about this breach.

Chris Kennedy, CISO and VP of customer success, AttackIQ

“Although we don’t currently know who owns this database, it’s only a matter of time before that information comes to light. But no matter the owner, this breach could have been easily been prevented if basic password protection was in place. Organizations must do a better job at analyzing the security of their environments to identify weaknesses, especially when storing highly sensitive data such as this. They must also continuously test the efficacy of their security controls to ensure they are working as expected. What’s more, organizations that collect and store this type of data and share it with third-party organizations such as messaging providers, need to do their due diligence in ensuring those partners are practicing adequate security measures as well.”

Kevin Gosschalk, CEO, Arkose Labs

“On the heels of Quest Diagnostic and LabCorp, this is the third high-profile healthcare breach in three weeks. Companies handling medical records are heavily targeted by cybercriminals and must take every precaution necessary to protect all of their attack surfaces. In this case, the information of 78,000 patients was left exposed on a database without the most basic level of protection: a password. In today’s advanced threat landscape, companies cannot afford a serious lapse in security of this nature. Proactive security measures must be in place at all times to protect the attack surface and secure sensitive data.”

Robert Prigge, President, Jumio

“Add another log to the dark web fire. Breaches like this one which exposed close to 400,000 prescriptions are especially dangerous. Patient records, like the data stolen from this hack, is a virtual treasure trove containing not only full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, National Provider Identifier, NABP E-Profile Number, and more. This is the kind of data that can fetch as much as $1000 per record on the dark web.

Naturally, the first reaction is to notify the patients, inform them of the breach and try to ensure this doesn’t happen again. But, the healthcare industry, more specifically the leading pharmacies, needs to ensure that these breached records don’t become the tools used for account takeovers.  Just how easy would it be for a fraudster to impersonate a breached patient and secure their prescriptions (including many controlled substances) online? Incredibly easy with outdated authentication methods. Pharmacies need to adopt more advanced digital identity verification and authentication technology to make sure that a patient’s digital identity matches their physical identity after so many high-profile healthcare data breaches.”

Anurag Kahol, CTO, Bitglass

“Unfortunately, this is yet another example of a breach of highly sensitive consumer data that occurred because of a simple security mistake. Leaving a database publicly accessible without even basic security such as password protection is inexcusable. Once the owner of the database is identified, they will likely face penalties for violating HIPAA compliance regulations. Healthcare organizations must take the proper cloud security steps, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their database, maintain compliance with regulations, and protect the sensitive consumer data that they have been entrusted with.”