MedicareSupplement, a medical insurance marketing firm in the United States, recently exposed detailed personal information of hundreds of thousands of medical insurance claimants after it failed to secure a publicly-available MongoDB database that contained more than 5 million personal records.
MedicareSupplement collects personal information of people who seek medical insurance of various types in order to provide them with details of medical insurance products available in their area, more like a third-party travel website that contains offers from various travel companies for a particular domestic or international route.
The publicly-available MongoDB database owned by MedicareSupplement was discovered by security researcher Bob Diachenko who, along with Comparitech, noted the presence of over five million personal data records in the database that belonged to people who entered their personal information on MedicareSupplement.com to avail medical insurance.
Personal data records in the database included first and last names, full addresses, IP addresses, email addresses, dates of birth, gender, and other marketing information. If accessed by malicious actors, such information can easily be used for identity fraud or for carrying out phishing scams.
"I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges," said Diachenko.
"Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains," he added.
"Once again personal records have been left exposed on a publicly available MongoDB. This is hardly surprising, but it should spark concerns about basic cybersecurity practices within organisations. If the data was accessible to anyone with an internet connection, then the data could have already been accessed by unintended parties," says Anjola Adeniyi, Technical Leader at Securonix.
"The Personally Identifiable information (PII) discovered on this database, if accessed by bad attackers, could result in individuals experiencing financial compromise or identity theft. Data breaches of this type could lead to huge fines, reputation damage, loss of trust, and employee dissatisfaction and attrition for the organisation involved," Adeniyi adds.
Unsecured cloud servers posing a huge cyber security risk
The presence of publicly-available yet unsecured MongoDB servers on the Web is being reported almost everyday even though concerns regarding malicious actors gaining access to such servers has been aired by a large number of security researchers and receives wide media coverage.
Last month, security researcher Brian Krebs reported that American real estate insurance giant First American exposed approximately 885 million data records on its website that could be accessed by anyone without clearing authentication checks.
These digital records were stored on the website of First American and could be accessed by anyone with a link to individual data records. Each document was stored under a web link with a nine-digit reference number and by changing a single digit on such links, visitors could access multiple digitised documents.
According to Krebs, information exposed by First American included vast amounts of personal data such as social security numbers, bank account numbers and statements, mortgage and tax records, wire transaction receipts, and drivers license images.
Last week, security researchers Noam Rotem and Ran Locar at vpnMentor also discovered an unsecured and unencrypted MongoDB database that contained personally identifiable information (PII) of more than 78,000 patients in the United States who use a prescription drug named Vascepa that helps lower triglycerides in adults.
The database was owned and managed by Florida-based ad agency xSocialMedia and contained personal information of over 78,000 US patients that included patients’ names, addresses, phone numbers, and email addresses.
The database also stored 391,649 prescriptions belonging to these patients as well as additional records such as name of the prescribing doctor, their NPI number (National Provider Identifier), the pharmacy’s information, and the NABP E-Profile Number (National Association of Boards of Pharmacy).