Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Two Data Leaks Expose Millions of Records

Customers of Adobe and Italy's UniCredit Affected in Separate Incidents
Two Data Leaks Expose Millions of Records

Two new security incidents demonstrate yet again how easily millions of records can be exposed, leaving customers open to the potential of identity theft and other criminal activity.

In the first incident, reported on Friday, security researchers found an unsecured Adobe Creative Cloud database left about 7.5 million customer records exposed for at least a week.

See Also: The UK Cybersecurity Landscape: Challenges and Opportunities

And on Monday, UniCredit , an Italian bank and financial services company, reported a “data incident involving a file generated in 2015 containing a defined set of approximately 3 million records.” The bank reports that both internal and police investigations are underway.

The two incidents exposed millions of names, email addresses as well as other information that could be used for identity theft, phishing attacks and more, security researcher say.

These incidents, along with other unsecured databases recently uncovered by security researchers, show that many organizations are not taking basic precautions when it comes to uploading and storing large amounts of customer data in cloud services, says Terence Jackson, CISO of the security firm Thycotic Software.

"On the surface, it appears that that both of these incidents could be related to misconfigurations in cloud services," Jackson tells Information Security Media Group. "There must be additional controls implemented to minimize the occurrence of misconfigurations and additional countermeasures deployed to make sure secure baselines are not changed."

Adobe's Unsecured Database

On Friday, researcher Bob Diachenko of Security Discovery and Paul Bischoff, a journalist at CompariTech, published a report about the unsecured database that contained information about customers of Adobe Creative Cloud - the company's cloud-based subscription service for products such as Photoshop and Lightroom.

Diachenko first discovered the unsecured Elasticsearch database on Oct. 19 and notified Adobe the same day, according to the report. The database was secured and password- protected a few hours later, the report states.

Bischoff and Diachenko note that the database apparently had been exposed to the internet at least for a week before it discovered; it could have been accessed with a web browser, with no password or authentication needed.

The database included email addresses, account creation dates, subscription status, whether the user is an Adobe employee or not, member IDs, country, time since last login and payment status, according to the report.

It's not clear if anyone had inappropriately accessed the data. Adobe says it's reviewing its development process to find out why this database was left unsecured.

Back in 2013, Adobe acknowledged that account information on 38 million customers was exposed following a data breach.

Bischoff and Diachenko have a track record of finding other exposed databases. On Oct. 18, for example, the two published a similar report concerning an unsecured database containing 2.8 million customer records belonging to CenturyLink. The data came from a third-party notification platform used by CenturyLink.

Trouble at UniCredit

Meanwhile, UniCredit announced Monday that it's investigating the exposure of about 3 million records of Italian citizens who used the bank.

The exposed file, created in 2015, contained names, city, telephone numbers and email addresses, according to the company. It's not clear if any of the this customer data has been accessed by cybercriminals.

UniCredit reports that earlier this year, it implemented two-factor authentication and biometrics.


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.