An unsecured database left confidential information of thousands of movie fans open on the Internet for anyone to see, a security researcher said Monday. The information included full names, email addresses, unencrypted passwords, partial payment information and what appeared to be government identification numbers of movie lovers who made purchases with the Peruvian company Cineplanet.
The open database, which anyone with the correct IP address could access in a web browser, also presented information about the company’s loyalty program members, including employment and marital status. There is no evidence that cybercriminals have accessed the data, although that cannot be ruled out.
The database, which was stored on a cloud server, is no longer exposed online. It was closed on Thursday.
Cineplanet did not immediately respond to the request for comments. The company lists approximately 40 theaters throughout the South American country on its website, with 23 in the capital city of Lima.
The exhibition marks the latest example of confidential personal information that is not protected in a database in the cloud, a continuing problem that affects privacy worldwide. Companies are moving their customer data to servers in the cloud due to the flexibility and savings they offer. But many organizations do not have the IT experience to configure those databases securely. In the past year, databases have exposed patient records of drug rehab centers, information on millions of U.S. homes. UU. And the salary expectations of those looking for work.
The researcher who found the database, Anurag Sen, published his findings Monday with the SafetyDetective antivirus review website and shared the research with CNET. The database seemed to keep only records for a period of one month, and about 1.5 million new records appeared on the website every day Sen watched it, he said.
Currently, the easiest way to keep databases secure is with password protection. However, many software tools that manage databases in the cloud do not enable password protection by default. Even when password protection is the default setting, IT personnel who configure databases often unintentionally disable it, according to researchers.
How many exposed databases without password protection are there? “More than you can imagine,” said Chris Vickery, a researcher who is looking for exposures to the database and was not involved in the search for the Cineplanet database.
One possible solution is encryption, which encodes the data before storing it in the cloud. Technology is in its early stages.
The Cineplanet database exposed approximately 250,000 ID numbers, said Sen. The data seemed to refer to the National Identity Document, or national identity document. It is a form of identification used to travel, access government services and vote in Peru.
It was more difficult to measure how many passwords and other unique pieces of information were exposed among the millions of records. The data would be valuable for hackers who could try using the exposed passwords to log in to more sensitive accounts, such as email or bank accounts. Because many Internet users reuse their passwords, such attacks can be very lucrative for hackers.
It could also be valuable for identity thieves, especially details such as marital status and payment information. Although there are currently no indications that hackers have abused Cineplanet data, identity theft experts say they treat exposures to the database as seriously as if a hacker had come out and stole their information. That means monitoring your payment cards to detect fraudulent transactions and keep in mind that scammers can use your personal information in phishing attacks.