A company responsible for manufacturing security cameras recently cost a huge number of its users their privacy as well as personal data which was accidentally exposed onto the internet. After admitting and owning up to their mistake, they went on to explain exactly what went wrong.
According to the company data belonging to users like their email address, body metrics, and IDs belonging to their WiFi networks were left exposed while critical information like financial information and the user’s passwords were left unaffected. This took place in December of 2019.
This incident occurred as a result of a misconfiguration in the database of Elasticsearch. This contained data that was generated by millions of the company's customers, which they blamed on one of their employees. After explaining the issue, the company promised and was determined to keep looking into the database’s lack of proper security standards.
For those wondering what Elasticsearch is, it is a scalable analytics and search engine that is both open-sourced and includes full-text searches. It allows its users to analyze, look for and store large volumes of data efficiently and in real-time.
How exactly did the incident take place?
During an internal project which was meant to determine ways to measure metrics related to businesses in a more efficient manner, the incident took place. The method was to be used to measure activations of various devices, failed connections, and so on. This, however, would require data replications from the main or original production servers and into a database that would be more flexible.
This would make it easier to query. Bigger volumes of queries may possibly impact the customer’s product experience if it is done on the central database as it is very compute-intensive. Processing without there being any system lag required an individual data subset to be moved into a database that was different.
In doing so the user data was exposed in an unencrypted manner while it was being transferred to a novel database for querying. An employee had cleared out all prior made security protocols due to an error that led to the unfortunate incident. The new database only held a data subset and did not include any government-regulated or vital data such as passwords and financial intel.
What was exposed to the web exactly?
Until now, the company has only owned up to exposing the data which has been revealed and denies any evidence of data breaches. The company informed the public about the customer data that had been exposed which included data from their artificial intelligence assistants like Alexa, data pertaining to their health, their email addresses, and IDs to the networks of their Wifi’s.
Users have been asked to be careful against possible phishing ambushes because hackers could possibly have access to their user names and email addresses. These could still potentially be used to thieve credit and financial information.
The company also claimed that there was no evidence of exposure to their tokens required to log in. Users, however, have been logged out of their accounts as a precautionary or safety measure, allowing new tokens to be generated for logging in. The company has been working towards ramping up its security. This may include the addition of a two-factor method for user authentication. For aspirants looking to know more about the world of data science, a data analytics course would be perfect.
Not only would allow aspirants to learn more about the field but it would also equip them with all the necessary information and tools required to succeed in a data analytics career.