Over 1.6M Personal Donor Records Exposed by UChicago Medicine (Jun 4, 2019)
In late May 2019, a security researcher for Security Discovery discovered a publicly accessible ElasticSearch instance that was exposing potential and existing University of Chicago Medicine donor records. The misconfigured ElasticSearch server contained over 1.6 million individual donor records, and was left unprotected on the Internet without a password. The records contained personal information, such as birth dates, full names and addresses, phone numbers, and wealth information and status. At the time of this writing, the exposed server has been taken down. According to the official statement made by University of Chicago Medicine, the university is conducting a forensic investigation, “...and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database.”
Recommendation: ElasticSearch developers suggest that users encrypt network traffic and define roles that protect index and cluster level access. Additionally, ElasticSearch clusters should only be accessible on the local network to make sure that only the company owning the database can access the stored data.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.