vpnMentor’s research team recently (April 2019) discovered a hack affecting 80 million American households. Nothing new here. Just another massive data breach. Many new and many of the same people affected. Lets wait for the apology and move on......

However this time its a little differet. There is a data security story with a twist.

Cybersecurity hacktivists Noam Rotem and Ran Locar discovered an unprotected database impacting up to 65% of US households. This is hosted by a Microsoft cloud server. The data base includes the number of people living in each household with their full names, their marital status, income bracket, age, and more.

So again - let us OUT the "corporate" stupid enough to leave it unprotected. This case is another step towards our trust dwindling a little bit more..... How much trust do you have left?

The research team is on the look out for these issues, they are looking after joe public interests by undertaking a huge web mapping project. They use port scanning methods to examine known IP blocks. This reveals open holes in web systems, which they examine for weaknesses and data leaks.

Usually, they can identify the company or person who owns the data base and they reach out to the owner to report the leak, and where possible, alert the people affected.

Their aim here is to build a safer and more protected internet, more power to them.

BUT, this time its different. Whilst the database includes identifying information for more than 80 million households across the United States, directly impact hundreds of millions of individuals. They cannot directly actually identify who set up the database and who is responsible for it.

Wait? .....What? You mean you can set up a Db on the cloud and not have it linked to you? You can get free space? This is a serious issue - lazy corporates who copy data for testing, PoC's etc just setting it up and then leaving it behind after the project moves on or fails....no clean up.

It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.

vpnMentor started calling on the public to help identify the database and close the leak. As an update of 30th April 2019 the database is no longer open to the public. Phew.

Following the publication of the vpnMentor report, Microsoft took the server offline. In a statement, Microsoft said, “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured”. Microsoft has not revealed who owns the database.

This breach should to be fully reported. How can risk be tracked and identified if the company is allowed to get away with this? On their Cyber Policy renewal what would they say I wonder? We agree with vpnMentor - The 80 million families listed here deserve privacy. Help Them Here.

Further Reading

GDPR Data Breach Survey

Hacking micro and small businesses - why bother ?

Cyber Security for Christmas

Cyber crime

Date Breach

Cyber Attacks, SME's say they are immune

At Microinsurance we are focused on changing the way business insurance is developed and processed. We are insurance with an API. We are in the forefront of that change; developing policies by the season, job, by the hour, by the day and by the Km, thus fitting our model to that of the platforms and the way small and micro businesses see risk. We are unbundling business policies so that the cover offered fits with peoples and business needs or the actual job or process being undertaken. Making Business Insurance transactional.

Posted in Cyber Insurance blog on May 01, 2019