US actor casting company leaked private data of over 260,000 individuals

Exclusive: The site has been used to cast members in Pitch Perfect and Terminator Genisys, among other shows.

Data breach at Mitsubishi may have exposed prototype missile design

A popular website used to cast US talent in movies and television shows exposed the data of roughly 260,000 individuals online.

In a report shared exclusively with ZDNet, the cybersecurity team from Safety Detectives, led by Anurag Sen, said the breach was discovered at the beginning of June this year. 

New Orleans-based MyCastingFile.com is an online casting agency that recruits talent. Users can sign up -- for free or on a subscription basis -- to apply for casting notices. The company claims to have provided actors for productions including True Detective, Pitch Perfect, NCIS: New Orleans, and Terminator Genisys. 

Safety Detectives discovered an open Elasticsearch server, hosted by Google Cloud, in the United States. The database was not secured via any form of authentication and in total, close to 10 million records were exposed. 

The database was 1GB in size and upon investigation, the team found that over 260,000 users of the website had their profiles leaked, including aspiring actors and potentially members of staff. 

See also: More pre-installed malware has been found in budget US smartphones

Personally identifiable information (PII) made publicly available via the leak included names, physical addresses, email addresses, phone numbers, work histories, dates of birth, height and weight, ethnicity, and physical features of interest to potential employers -- such as hair color and length. 

In addition, the records included vehicle ownership information, such as model, color, and year of manufacture. 

Photographs of faces and bodies were also included in the breach; however, only some images were exposed as they were hosted at multiple locations and via different cloud services.  

CNET: Google targets stalkerware in updated ad policy

Under 18s are also able to sign up for the platform as long as their accounts are managed by guardians and they have been given consent. 

"From the data breach, it could have been possible to determine what amount of data belonged to children, although our security team did not carry out a full download or demographic analysis of the available data -- first and foremost, for ethical reasons," the team notes. 

screenshot-2020-07-15-at-11-01-41.png

Server records indicate that the exposure first began on May 31. MyCastingFile is currently migrating to a new platform so the issue may be related to the move. (ZDNet has requested clarification.) 

TechRepublic: Software-defined perimeters may be the solution to remote work security concerns

Safety Detectives spent some time verifying who owned the database, eventually reaching out to MyCastingFile on June 11. On the same day, the agency responded to the report and secured the server. 

MyCastingFile's rapid response is, unfortunately, a rarity these days. In many cases of researchers reporting open database issues, organizations will take weeks -- or months -- to address the problem, or may simply ignore requests altogether. 

ZDNet has reached out to MyCastingFile with additional queries and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0