An Elasticsearch server left connected to the internet without a password, or firewall protection, has leaked what appears to be personal records and patient information for roughly 85 percent of Panama's citizens.
The leaky server was found online last week by Bob Diachenko, founder and security researcher with Security Discovery.
The Elasticsearch server, a technology used to power fast search systems, contained 3,427,396 user records labeled as patient data. The data was valid, in ZDNet's assertion.
Judging that Panama's last census listed the country having a population of 4,034,119 citizens, it appears that personal records for 84.96% of all Panamanians was exposed online during this server mishap.
The information here is a treasure trove for online fraudsters, although, the good news is that no financial was present in the database.
Information stored in the leaky Elasticsearch server included names, home addresses, phone numbers, email addresses, national ID numbers, dates of birth, medical insurance numbers, and other, per Diachenko's analysis.
Not all database entries contained the same type of information, and for some users, only part of this data was present in the database. Furthermore, there was no indication that the database stored details about a patient's medical records, past conditions, treatments, or so on, Diachenko told ZDNet.
The database was secured over the weekend after Diachenko notified the Computer Emergency Response Team (CERT) of Panama.
The leaky server also did not contain any clues about its ownership, and this still remains a mystery today.
Nonetheless, the company or state agency believed to be running the Elasticsearch server doesn't appear to have good security practices.
The same IP address where the Elasticsearch cluster was hosted also exposed RDP endpoints over the internet, allowing anyone to launch brute-force attacks and attempt to compromise the company's network. Such endpoints should normally be exposed online from behind a firewall that strictly limits who can access them.
More data breach coverage:
- Indiana Pacers disclose security breach
- New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web
- US charges one of the Anthem hackers
- Turkey fines Facebook for December 2018 API bug
- Hackers are collecting payment details, user passwords from 4,600 sites
- Hackers steal $41 million from cryptocurrency exchange Binance
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- Facebook data privacy scandal: A cheat sheet TechRepublic