Two Data Leaks Expose Millions of RecordsCustomers of Adobe and Italy's UniCredit Affected in Separate Incidents
Two new security incidents demonstrate yet again how easily millions of records can be exposed, leaving customers open to the potential of identity theft and other criminal activity.
In the first incident, reported on Friday, security researchers found an unsecured Adobe Creative Cloud database left about 7.5 million customer records exposed for at least a week.
See Also: The Evolution of Email Security
And on Monday, UniCredit , an Italian bank and financial services company, reported a "data incident involving a file generated in 2015 containing a defined set of approximately 3 million records." The bank reports that both internal and police investigations are underway.
The two incidents exposed millions of names, email addresses as well as other information that could be used for identity theft, phishing attacks and more, security researcher say.
These incidents, along with other unsecured databases recently uncovered by security researchers, show that many organizations are not taking basic precautions when it comes to uploading and storing large amounts of customer data in cloud services, says Terence Jackson, CISO of the security firm Thycotic Software.
"On the surface, it appears that that both of these incidents could be related to misconfigurations in cloud services," Jackson tells Information Security Media Group. "There must be additional controls implemented to minimize the occurrence of misconfigurations and additional countermeasures deployed to make sure secure baselines are not changed."
Adobe's Unsecured Database
On Friday, researcher Bob Diachenko of Security Discovery and Paul Bischoff, a journalist at CompariTech, published a report about the unsecured database that contained information about customers of Adobe Creative Cloud - the company's cloud-based subscription service for products such as Photoshop and Lightroom.
Diachenko first discovered the unsecured Elasticsearch database on Oct. 19 and notified Adobe the same day, according to the report. The database was secured and password- protected a few hours later, the report states.
Bischoff and Diachenko note that the database apparently had been exposed to the internet at least for a week before it discovered; it could have been accessed with a web browser, with no password or authentication needed.
The database included email addresses, account creation dates, subscription status, whether the user is an Adobe employee or not, member IDs, country, time since last login and payment status, according to the report.
It's not clear if anyone had inappropriately accessed the data. Adobe says it's reviewing its development process to find out why this database was left unsecured.
Back in 2013, Adobe acknowledged that account information on 38 million customers was exposed following a data breach.
Bischoff and Diachenko have a track record of finding other exposed databases. On Oct. 18, for example, the two published a similar report concerning an unsecured database containing 2.8 million customer records belonging to CenturyLink. The data came from a third-party notification platform used by CenturyLink.
Trouble at UniCredit
Meanwhile, UniCredit announced Monday that it's investigating the exposure of about 3 million records of Italian citizens who used the bank.
The exposed file, created in 2015, contained names, city, telephone numbers and email addresses, according to the company. It's not clear if any of the this customer data has been accessed by cybercriminals.
UniCredit reports that earlier this year, it implemented two-factor authentication and biometrics.