Samsung, Rolls-Royce Information Exposed by Leaky Database
Hypothetically, if you, a criminal, wanted to steal millions
of dollars from a corporation, one place to start might be figuring out who it
owes money to. Does it pay rent on any of its offices? How often does it make
payments on the expensive software or equipment it leases? Which overworked
account executive handles these payments and what would it take for her – eager
to get home to her three kids after a long week – to accidentally authorise
payment to you instead of the accounts she manages?
While the kinds of information required to pull off this
type of social engineering attack are typically guarded behind corporate
firewalls, British cybersecurity firm TurgenSec discovered that a database of
precisely this type of data was left completely open, visible to any hacker
with a web browser who took the time to look.
The database, which belongs to lease management software
from a company called LeaseSolution, contains 6 million database entries
detailing confidential business information from nine companies including
Samsung and Rolls-Royce, according to TurgenSec researchers.
The database appears to have now been taken offline.
LeaseSolution did not respond to Gizmodo’s request for comment. We have reached
out to Samsung and Rolls-Royce and will update when we hear back.
Following TurgenSec’s discovery, UK-based LeaseSolution’s
website was unviewable on Friday due to an “error establishing a database
connection.” Over the weekend, however, it appears that the company has updated
and redesigned it to foreground security – ironically, web traffic to the site
remains unencrypted. In marketing material, the software, known as LS2, is
presented as a secure environment to keep track of documentation and payments
throughout the entire lifetime of a given lease. For instance, a company like
Rolls-Royce might use LS2 to keep track of the airplane engines that they have
leased to an airline.
While the exposed data is limited to the corporate clients
of the companies using this software, a system like LS2 is predicated on
storing sensitive information about lessees. According to TurgenSec, each of
the 6 million rows of data potential included more than 300 data headers
including phone numbers, email addresses, job titles, links to other databases,
and more. Perhaps more interestingly, the breached data included assets that a
client had leased – office buildings, industrial machinery, corporate jets.
LeaseSolution is legally required to notify the Information
Commissioner’s Office of any data breach within 48 hours of being notified. While
TurgenSec said it notified LeaseSolution of its discovery on 15 April, it’s
unclear whether the ICO has been notified. ICO did not immediately respond to
our request for comment.
Admittedly, a breach in a “lease management” database
doesn’t conjure particularly glamorous images of high-intensity cyber heists.
However, it’s often these types of mundane or overlooked software that contain
the most valuable information for criminals. Last week, for example, Gizmodo US
reported that hundreds of thousands of faxes in America were left public on
unsecured databases, exposing Social Security numbers, bank information, and
more sensitive personal information. It’s a frustrating reminder that even if
you do everything right with your security, someone else’s fuckup can still
come back to get you.
Comments
Post a Comment