Database Security Digest - June 2018

Database Security Digest - June 2018
Please take a look at the biggest database security incidents in June 2018.

Exactis

Exactis is a marketing and data aggregation firm that you’ve probably never heard of. But be sure that this company knows a lot about you. A security researcher has discovered that the database of this company has been left unprotected on a publicly accessible server. This database has about 340 million records. Most of them are consumer records. Fortunately, the data in the Exactis database didn’t contain SSN or bank card information. But it contained other types of Personally Identifiable Information such as phones, home addresses, and emails. This information can be easily used for identity theft. And you’ll be surprised how much Exactis knows about you. Each consumer record was described using more than 400 variables. So the company knows what hobbies people have, their religious and political views, marital status, pets (if any), buying habits, etc. What is really surprising is that this personal information was lying out there easily hackable!

Ticketfly

Ticketfly is a company that sells us tickets for different events. It became known at the beginning of June that a hacker took control of the company’s website asking for payment in bitcoin to release it and share details about the website’s vulnerability. However, the management of the company refused to make this kind of deal and the unknown hacker posted user data on the internet. After that Ticketfly took its website offline as a security measure. It’s been reported that this data breach might have easily exposed data of 26 million Ticketfly customers. The data includes emails, home and billing addresses, phone numbers, etc. Ticketfly customers’ bank card information and passwords are believed not to have been compromised but one never can be sure. This data breach from Ticketfly and the subsequent website’s takedown left promoters of events, music and comedy clubs without a clear picture of how many tickets have been sold and is obviously disrupting their business.

Dixons Carphone

Dixons Carphone is a multinational electrical and telecommunications retailer and services company headquartered in London. Earlier this month it became known that the company was hacked. Information on almost 6 million bank cards was leaked. The hacker(s) also got hold of names, email addresses, and logins. This accident follows the 2015 breach for which the company was fined £400,000 and now the authorities are looking very closely why this is happening again and why no precautionary measures against data leaks have been taken. Dixons Carphone was lucky that this accident happened before the introduction of the GDPR which promise much higher fines for data loss accidents like that.

Databases’ security updates

SAP HANA

https://nvd.nist.gov/vuln/detail/CVE-2018-2424
https://nvd.nist.gov/vuln/detail/CVE-2018-2425

Netezza

https://nvd.nist.gov/vuln/detail/CVE-2018-1460