Unsecured database reveals sensitive info about movie chain customers
Scoop: Passwords, partial payment info and government ID numbers were found on an exposed database for customers of a Peruvian company.
- 2022 Eddie Award for a single article in consumer technology
An exposed database revealed sensitive information on customers of a Peruvian movie theater chain, a researcher says.
An unsecured database left sensitive information of thousands of movie buffs open on the internet for anyone to see, a security researcher said Monday. The information included full names, email addresses, unencrypted passwords, partial payment information and government ID numbers of film lovers who made purchases with Peruvian company Cineplanet.
The open database, which anyone with the correct IP address could access on a web browser, also exposed information about members of the company's loyalty program, including employment and marital status. There's no indication that cybercriminals accessed the data, though that can't be ruled out.
The database, which was stored on a cloud server, is no longer exposed online. Cineplanet confirmed that the data was removed from the internet once the company learned of the exposure on Thursday. In a statement Monday, the company said the exposure affected less than 4% of its registered customers. The company lists roughly 40 theater locations across the South American country on its website, with 23 in the capital city of Lima.
The exposure marks the latest example of sensitive personal information being left unsecured on a cloud database, an ongoing problem affecting privacy around the world. Companies are moving their customer data to cloud servers because of the flexibility and savings they offer. But many organizations don't have the IT expertise to set up those databases securely. In the past year, databases have exposed patient records from drug rehabilitation centers, information about millions of US households, and the salary expectations of job seekers.
The researcher who found the database, Anurag Sen, published his findings on Monday with antivirus review website SafetyDetective and shared the research with CNET. The database appeared to only keep records for a one-month period, and about 1.5 million new records appeared on the website each day Sen observed it, he said.
Currently, the most straightforward way to keep databases secure is with password protection. However, many software tools that manage cloud databases don't enable password protection by default. Even when password protection is the default setting, the IT staff that sets up databases often unwittingly disables it, according to researchers.
How many exposed databases with no password protection are there? "More than you could possibly imagine," said Chris Vickery, a researcher who looks for database exposures and wasn't involved in finding the Cineplanet database.
One potential solution is encryption, which scrambles up data before storing it on the cloud. The technology is in its early stages.
The Cineplanet database exposed roughly 250,000 DNI numbers, Sen said, which is the 8-digit number associated with the Documento Nacional de Identidad, or national identity document. It's a form of ID used for travel, accessing government services and voting in Peru.
It was more difficult to gauge how many passwords and other unique pieces of information were exposed among the millions of records. The data would be valuable to hackers who could try to use the exposed passwords to log into more sensitive accounts, like email or banking accounts. Because so many internet users reuse their passwords, these kinds of attacks can be very lucrative for hackers.
It could also be valuable to identity thieves, especially details like marital status and payment information. Even though there aren't signs that hackers have been abusing the Cineplanet data, identity theft experts say to treat database exposures as seriously as if a hacker had gone out and stolen your information. That means watching your payment cards for fraudulent transactions and being mindful that fraudsters might use your personal information in phishing attacks.
Originally published Jan. 27.
Updates, Jan. 27: Adds comment from Cineplanet; Jan. 28: Includes additional comment from Cineplanet.
