back to article FYI: Someone left 24GB of personal info on 80m US households exposed to the public internet

A pair of security researchers working on a web mapping project for security biz vpnMentor have identified what they claim is a database that exposes 80 million US households. In a blog post on Monday, vpnMentor said the database resides on a Microsoft cloud server – presumably Azure – and consists of 24GB of personal …

  1. Anonymous Coward
    Anonymous Coward

    Big house of cards ...

    Our organisation of 1000 people is moving to the cloud. Hope clouds no more complicated for staff than the LAN. People leave the odd private file in LAN shares accessible to lots of staff. Been happening since .... network shares.

  2. elDog

    Does sound related to home ownership/insurance

    Given the age constrains (>40 yo), it might be for retirement services (AARP?).

    Or, maybe it's just a huge test database for us to try our machine-learning skills upon. Everything was anonymized and is totally random. <joking>.

    Has anyone verified any of the contents of portions of the DB?

  3. Doctor Syntax Silver badge

    "It's not for a lack of tools, but a lack of understanding and implementation of the available tools."

    Not really. It's so they can avoid - and even better, get rid of - those obstructive sods in IT who make such a fuss about who can get access and the hoops they have to jump through to do it. So much easier just to put it in the cloud. The people who run the cloud don't complicate things like IT do.

    1. Mark 85 Silver badge

      Exactly. Profit as IT bods and security costs money.

      1. Anonymous Coward
        Anonymous Coward

        Who do you think manages the cloud if it's not IT folk?

        Perish the thought that there are more competent IT people than you.

        1. Doctor Syntax Silver badge

          What's your explanation for this and all the other reports of unsecured databases and backups we read about?

          The data centres are run by IT people. Their brief is to keep the stuff running, install new kit and swap out whatever's failed.

          If a client thinks that this is all their in-house IT do (or did may be too often more appropriate) or that it's all that's necessary to be done then maybe that's where the problem lies. Your comment suggests you might be one of those client people who thinks that. If so, ask yourself what stands between you and your business's becoming the subject of the next of these reports.

        2. Anonymous Coward
          Anonymous Coward

          > Who do you think manages the cloud if it's not IT folk?

          Often no one, which is the problem. Who pays for it? Far too often, anyone with a corporate card or a boss willing to sign off on the expense report. Divisions that have poor discipline (due to poor executive leadership and accountability) and like to move fast and break shit (like the law).

        3. Phil Kingston

          Shadow IT is a real thing. Your bright-eyed junior in Finance tells his boss he can do some whizzy data analysis but it's too expensive to get a database server out of IT. But, if his boss will let him have the company credit card number he can get it up and running in Azure this afternoon.

          The bright-eyed junior may know numbers, but doesn't have a clue about IT security. And shit like this happens.

        4. Anonymous Coward
          Anonymous Coward

          Usually the fuckers with company credit cards in marketing, in my experience...

        5. Phil O'Sophical Silver badge

          It's a question of priorities

          Who do you think manages the cloud if it's not IT folk?

          In-house IT folk have the security of your organization to maintain.

          Cloud IT folk have the the security of their cloud service to maintain.

          Not the same priorities at all.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's a question of priorities

            And we've found the DXC employee!

            Good companies know that their customers are the only thing that keep them in business. Therefore their number one priority is the security of customer's data.

  4. Ken Moorhouse Silver badge

    Maybe it started with the telephone...

    Offering technical support to various people over the years, a common scenario I encounter is "Ah, you're being asked to login, enter your username and password", to which the surprising response often is "I don't have one" or "I didn't know I had one". This indicates to me the dangerous belief that "somehow the system knows it's me" without questioning "how is that possible?" Questioning these impressions make people realise there is a depth to technical systems which they had taken for granted. These are intelligent people I'm talking about here so, by extension, I can see that there is a very big problem out there.

    Maybe it started with the telephone? If you were to ring the emergency services the operator taking your call can potentially identify you as the person making the call by virtue of the fact that there is a one to one mapping* between you and the operator's switchboard, even though the line between might be multiplexed. People might still think that is the case, but things like NAT knock that on the head.

    *Ignoring the possibility that a telephone engineer could swap wires in a green cabinet somewhere.

    1. Ken Moorhouse Silver badge

      Re: Maybe it started with the telephone...

      That Thumbs Down came so quickly after I posted that I can't believe what I said was truly taken on-board. It is only now that banks and other sensitive websites are knuckling down to properly warning users of the implications of getting browsers to remember passwords. One has to remember that users of Cloud-based systems need a similar education. Don't forget that Cloud has been sold as a "get rid of your expensive technical staff - cloud can be setup by more general, less technical, administrative staff."

      1. DCFusor Silver badge

        Re: Maybe it started with the telephone...

        Downvote or not (it wasn't me), I think you are starting past the beginning. In my experience, most devs, who don't know as much as they want their boss to think, simply turn controls off until something that shouldn't work, like a client program that doesn't properly authenticate, starts working. Maybe later they learn how to do that - but by that time, it's live and no one wants to risk a major crash when they put access controls back on - after all, they don't even know which one made the crap client start working in the first place. They just check and uncheck boxes till the errors go away.

        Just like some in the bad old days "coding at the screen" and using copy-pasta till it quit crashing, instead of knowing how to write good code from first principles.

        1. seven of five

          Re: Maybe it started with the telephone...

          btstnt: our SAP basis team during installation.

          doesnt work? chmod 777 and retry.

          1. stiine Silver badge
            WTF?

            Re: Maybe it started with the telephone...

            AAAaaarrrrrgghhhhhh.......

          2. IT's getting kinda boring

            Re: Maybe it started with the telephone...

            I'd laugh - but its true. So true its NOT funny any more.

    2. The Oncoming Scorn Silver badge

      Ah, you're being asked to login, enter your username and password"

      User gets an e-mail flagged with great big security notice that its highly likely to be malicious & already being investigated, clicks on it anyway, contacts the sender when it prompts for her credentials who assures her it’s fine.

      Enters her creds, the PDF says “Thanks”, she e-mails back again requesting the sender resends the original attachment as a PDF & comments that "I am starting to think this was a scam to get my credentials." ………

      Three weeks later…....Thursday night she gets a hint something is amiss.

      All Friday she gets e-mails & people sticking head around her door saying “Did you send this, it doesn’t sound like you”.

      Finally, after finishing work on Friday (1 hour time difference BTW) & arriving home, she finally sends an e-mail in querying the fact she hasn’t received a email all day (actually since 3.15pm the previous day).

      Security kicks in, changes passwords etc, she ums & arrr’s on the phone saying she might have have given her credentials away three weeks ago & then is suddenly pretty sure she didn’t. I comment that this should have been flagged a lot earlier by her colleagues if not herself, not last thing on a Friday afternoon.

      A weekend of trawling through her emails reveals the chain of events above & reveals "she" sent 325+ spam e-mails.

      New login ID, new hardware to be shipped to her, Other people get passwords changed & she has conveniently taken the week off suddenly “sick”.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ah, you're being asked to login, enter your username and password"

        new hardware to be shipped to her,... she has conveniently taken the week off suddenly “sick”.

        And there is the problem. Why wasn't she fired for incompetence? If she'd been found to have given someone the keys to the office, or the PIN for a company credit card, she'd be looking for a new job and would perhaps understand why. As it is she's just been "educated" to believe that IT security isn't important and disregarding the rules goes unpunished. She even got a new system out of it.

        1. The Oncoming Scorn Silver badge
          Pirate

          Re: Ah, you're being asked to login, enter your username and password"

          Not my decision unfortunately & it also annoys the IT Director enormously, we are making sure she gets a similarly aged replacement & not one of the shiny new ones that came in last week.

          Along with a guy who let "Microsoft" investigate a problem on his computer by remoting in & two guys in the space of a week with a porn stash (One may have just been dodgy links by deciding to sync Firefox\Chrome with his home account).

  5. Efer Brick

    Make the C*Os personally liable

    With jail time in proportion to the leak..

    Then see how lax these people are with other peoples data

  6. Anonymous Coward
    Anonymous Coward

    My friends of Irish extraction will be looking to see if their baby's name is in the leak. She was called Datagh Briedge.

    1. Anonymous Coward
      Anonymous Coward

      We saw straigh through that one with help from the IT guys William Fitzpatrick and Patrick Fitzwilliam.

      Yours,

      Patti O'Dawes

      1. Anonymous Coward
        Anonymous Coward

        “William Fitzpatrick and Patrick Fitzwilliam”

        I thought they were the lawyers? They promise to screw both parties just as hard...

    2. ecofeco Silver badge

      At least it was a girl and not Bobby Drop Tables.

  7. intrigid

    I misread the headline

    At first I thought that somebody had amassed 24GB of their own personal info, then somehow uploaded it to 80 million US households, and then those households turned out to be completely unsecured internet-facing computers.

  8. Kevin McMurtrie Silver badge

    Smells like scam

    It sounds like a scammer's database, maybe for a robodialer. If you have a big cache of stolen data being used for a crime, you don't want any proof of ownership like holding the password or being the only user in the logs. Tons of bots, curious researchers, and prying eyes is better.

    This has happened many times in the past. Maybe El Reg can dig up those articles and find the eventual outcome.

  9. ecofeco Silver badge

    Another day

    Another hack. Ffs.

    1. Phil Kingston

      Re: Another day

      Except not a hack

      1. ecofeco Silver badge

        Re: Another day

        Is joke heffe.

        1. DJO Silver badge

          Re: Another day

          "A joke is a display of humour in which words are used within a specific and well-defined narrative structure to make people laugh and is not meant to be taken seriously"

          I see where you went wrong, a joke should be funny.

          1. Anonymous Coward
            Anonymous Coward

            Re: Another day

            "a thing that someone says to cause amusement or laughter" it maybe dry and sarcastic but it's still a joke.

  10. big_D Silver badge
    Facepalm

    Such data isn't as much of a privacy problem...

    ...as account credentials, passwords

    Sorry, it is far worse. You can change passwords. Changing your home address or your sex or marital status, home ownership status or income bracket etc. is much more difficult. Well, you could walk out on your job, wife and kids and stop paying the mortgage, but that is a bit extreme...

    1. Alister Silver badge

      Re: Such data isn't as much of a privacy problem...

      I tried to get my mum to change her maiden name, after my security question got leaked, but she wasn't having any of it... I mean, how hard can it be?

  11. Flak
    Flame

    Microsoft appears to be aiding and abetting data protection breach

    If Microsoft know and have been informed and all the personal data is openly available, then they are at least allowing personal data being exposed to unauthorised access.

    Take down the service, work with the owner of the data to ensure it is properly secured and do it NOW!

    I am sure there are some Europeans' details on that list, so GDPR legislation also applies. Throw the book at Microsoft and the owner - and hard...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019