By Matthew Davis, Content Writer for Future Hosting
What is the worst thing a business could do with a database of sensitive information? If your business had such a database, what is the least sensible thing to do with it? How about putting it on the internet without password protection or encryption, allowing anyone who knows where it is to browse or download the data. You definitely wouldn’t want to do that.
And yet, every year, dozens of businesses do just that.
In November, a database with tens of millions of text messages leaked because it was stored on a server with no password protection. In July, a robocalling firm leaked hundreds of thousands of US voter records stored on an unprotected server. The same month, the WWE exposed the personal data of 3 million wrestling fans stored on a publicly accessible server. In June, a marketing company exposed 340 million records by storing them on an internet-connected server with no authentication. Also in June, personal data that identified thousands of law enforcement officers was leaked.
I could go on, but my point is clear. Businesses regularly and carelessly expose sensitive data. Worse, these leaks are easy to avoid. All modern databases can be password protected. It’s challenging to put a server on the web without some form of authentication—you have to deliberately override default settings.
Why does this happen? Some databases have insecure defaults intended for testing; when the database is deployed by someone who doesn’t know what they’re doing, they neglect to change to a production-ready secure configuration. Sometimes databases are dumped to a server or cloud storage platform as a backup, but the person responsible doesn’t read the manual. In some cases, employees reason that it is more convenient to leave the database exposed: people in the company can access it easily and no one else is supposed to know where it is.
If you think your unprotected database is a secret, let me enlighten you. Shodan is a search engine for the internet of things. With it, people can search for devices that are connected to the internet, including insecure database servers. If your company has an insecure server, it’s probably already been found by Shodan, and when an enterprising security professional or hacker enters the right search, they’ll know about it too.
If you agree that exposing the private data of customers online is a bad idea, you might be asking what you can do about it.
- If you aren’t familiar with a database tool, RTFM (read the manual!). Pay special attention to recommended security settings and do what they advise. If you don’t want to do this, hire someone who understands databases and security.
- Use the Shodan search engine to check your networks for insecure servers.
- Carry out a data audit. Your business is at risk unless you know what data is stored, where it’s stored, and why you are storing it.
A data leak can damage your business’s reputation, especially if the leak was easily avoided. It’s wise to spend some time to make sure that your users’ data isn’t exposed for the entire world to see.
About the Author:
Matthew Davis works as a writer for Future Hosting, a leading provider of VPS hosting. He focuses on data news, cybersecurity, and web development topics. You can usually find him hiding behind a computer screen, searching for the next breaking news in the tech industry. For more great articles, check out FH’s blog and give them a follow at @fhsales on Twitter.