French news site L'Express exposed reader data online, weeks before GDPR deadline
(Image: file photo)
NEW YORK; PARIS -- French weekly news magazine L'Express left a server containing a database of its readers exposed online for weeks without a password.
Even after the Paris-based magazine was warned of the exposure, the database wasn't secured for another month, leaving its contents accessible and downloadable by anyone, including hackers that made several attempts to ransom the data.
Mickey Dimov, a Florida resident and recent high school graduate who now works in security operations for a major defense contractor, told ZDNet that he found the database by chance. At about 60 gigabytes in size, the database was packed with data on over 693,000 readers, and other information critical to the magazine's online operations.
Through an intermediary, Dimov contacted the company in January. After hearing nothing back, he contacted ZDNet, which also alerted the magazine to the exposure.
During the month Dimov was waiting to hear back from the magazine, he witnessed the MongoDB database be hit by criminals who tried multiple times to steal the data and hold it to ransom for bitcoins, a common technique used by scammers against open and exposed databases.
All failed -- except for one.
Dimov kept tabs on the database."I was progressively more and more frustrated about the lack of communication," he said. "This got kind of personal for me."
After criminals began targeting the database, Dimov fought off ransom attacks by duplicating and restoring the tables, preventing any data loss. Based on the table history, attackers may have tried to ransom the database more than a dozen times.
"I did not want this data to be deleted because I was worried that it was hooked to their website and infrastructure in a major way," he explained. "There were a lot of collections that looked like they were critical to the front page [and] to the alert system they used to push out news."
Executive guide: What is GDPR? Everything you need to know about the new general data protection regulations | WhatsApp, Facebook to face EU data protection taskforce | GDPR: These are the organizations which are least prepared | Can you have secrets online? This unusual pop-up shop will make you think again | Vendor Security Alliance tweaks auditing system to be GDPR compliant | Google 'right to be forgotten' case goes to top EU court
When reached last week, L'Express editor-in-chief Emma Defaud confirmed the data leak in an email to ZDNet, and said she was "grateful" for the report. "It has been corrected," she said.
In a later, follow-up email, she said, "L'Express has been victim of unauthorised intrusion into one of [our] servers," and downplayed the potential impact, saying the server was "inactive" and used in the past "to run tests on."
ZDNet obtained a portion of the database to verify. Each record had a reader's first name and surname, email address, and profile photos, and their job titles, along with other information associated with each user's online readership profile.
Defaud confirmed that neither passwords nor bank details were stored in the database.
"The data contained on that server is old," Defaud explained. "The data is accounts created on a service that's now terminated, namely communaute.lexpress.fr. The accounts were created in 2016, by people either willing to post a comment or keen to receive our newsletter."
A closer examination of the database records, however, showed otherwise. The most recent entry in the database was timestamped February 20, 2018. That is consistent with the ability to create a new membership account by accessing communaute.lexpress.fr which redirects to a fully-working and operating L'Express service.
Existing French legislation requires that any personal data collected for a service that no longer exists should be removed or fully anonymized. If the service had since been terminated as Defaud said, that doesn't explain why L'Express held onto the data -- something we asked about, but received no response to.
GDPR, A FIX FOR 'DATA NEGLIGENCE'?
Compared to other data breaches, the kind of data exposed by L'Express may not be seen as high-risk information. But the French Supreme Court in 2016 ruled that political opinions can be considered "sensitive" personal data and require greater protections.
Given news outlets in France have known political leanings, a case could be made that paying a subscription to a left-leaning or far-right-leaning outlet could reveal a person's political opinions.
When contacted, French data protection authority, Commission Nationale Informatique et Libertés (CNIL), would not clearly say if the data is seen as sensitive or not.
But while many have grown accustomed to an abundance of data negligence, it will soon transform into a costly liability for organizations. Media organizations are no exception.
The General Data Protection Regulation (GDPR) will come into effect on May 25, replacing a patchwork of decades' old data protection laws across the EU. At its core, the new law rules that any piece of information that identifies an individual, directly or not, is personal data. GDPR also provides a common framework for personal data protection across EU member states and steers specific rules when data is transferred outside the bloc of member states.
Even more important, the GDPR has far-reaching consequences for organizations on accountability.
Companies and organizations processing personal data will have to provide proof that they do what they pretend they do.
Firms processing personal data will have to ensure that they have the explicit consent of the individual whose data it is. If, for example, a person receives email advertisements or spam, the sender will have to prove that the recipient expressly allowed it.
Failing to do so can risk fines of up to €20 million, or four percent of the firm's global revenue for the previous year -- a significant increase from current legislation.
Another improvement on the regulation is the obligation of firms to report data breaches and exposures. Whenever personal data is found unprotected in the wild, the data owner must inform their country's data protection authority.
In a case where the data could have privacy risks -- such as identity theft, the firm has to inform each and every affected individual.
'SINGLE POINT OF FAILURE'
Beyond a brief email to ZDNet acknowledging the exposure, L'Express has to our knowledge made no effort to inform its readers or the authorities.
CNIL confirmed that L'Express has not been in contact about the data breach. L'Express did not respond to an email asking why the exposure was not been flagged to the CNIL.
Under existing laws, most companies operating in France are not obligated to inform the authorities of a data breach. But that will change when GDPR comes into force, making a breach disclosure mandatory.
Defaud added in her email that "[our] IT team has responded swiftly and switched the server off immediately after they learnt about the vulnerability." She ensured the organization "constantly reinforces the security of [our] server infrastructure and leverages both internal and external expertise."
Defaud neither explained what steps were taken to secure the database nor if the company had received ransom demands for the data, and did not answer other questions we asked.
Mishandling a vital readership database isn't unique to L'Express. Other firms have underestimated the strategic value of their core databases.
Fledgling budgets have pushed media outlets to outsource their IT management. But having to depend on a limited number of actors when things go wrong can lead to a single point of failure, threatening the integrity and availability of web services and subscriber databases.
In 2015, a major outage at Oxalide, the hosting provider that several media outlets rely on, fell offline for two hours following a BGP routing incident.
A year later, publication En-Contact revealed that one GLI, one of the leading subscription management firms in France, experienced several system failures. GLI ensures subscriptions for 40 percent of the French media outlets, including those owned by the Condé Nast Group, and by the parent company of L'Express.
Not only does GLI manage the infrastructure, such as storing subscriber data, the company also collects and stores subscribers' names, addresses, and also the billing details and the duration of each subscription. The incident turned into a crisis after GLI struggled for a month to restore the data and its services.
The problem took place at a critical moment of the year, that is when people leave for vacation and change their shipping address. The affected outlets lost the integrality of their subscriber records for the duration of the incident.
Affected media outlets did not publicly comment on the financial loss GLI's long-lasting incident represents although it is believed to be substantial.