Researchers Say Creditseva Customer Data ExposedWhat May Have Gone Wrong, and What Can Others Learn From It?
Personal and financial data, including drivers' license, home addresses, and credit reports of around 48,000 citizens was left exposed by Creditseva, a Hyderabad-based startup company, according to researchers at Kromtech, a German threat research group. Creditseva helps individuals manage their credit profiles through an algorithmic suggestive engine and online analytical tools.
Kromtech says it informed Creditseva when it discovered the data exposure.
But Satya Vishnubhotla, CEO of Creditseva, in a statement to The Economic Times, said: "There has been no data breach."
Security practitioners say it's common for Indian firms to avoid acknowledging when their data has been exposed or breached. "When has any company in India admitted to a data breach openly? Initially Reliance Jio, too, said they hadn't been breached. But today we all know what the truth is," says a white hat hacker who asked not to be named.
In July, personal details of over 100 million customers of Reliance Jio, a large telecom company in India, was leaked and offered for sale on the dark web. But the company had claimed the data was inunauthentic.
A security consultant closely associated with Creditseva, requesting anonymity, says cybercriminals could potentially use the data left exposed to engage in identity theft or other cybercrimes. "The data could potentially have been easily accessed by any third party, including hackers," the consultant says.
Researchers at Kromtech say the Crediseva incident involved a misconfigured Amazon S3 bucket in the cloud that was not password protected, leaving the data potentially vulnerable to access by hackers.
The alleged incident puts a spotlight on the potential security risks involved in using outsourced services.
"Companies often feel that once they have outsourced something, it is bound to be protected," says Nitish Chandan, a cybersecurity practitioner and founder of The Cyber Blog India. "Technically and legally speaking, the responsibility of data protection lies on the company that is taking its users' data. In this regard, they need to be more careful and vigilant in effecting sound cybersecurity policies both internally and externally."
Discovering the Vulnerabilities
Amazon S3 is a cloud service where a website, database or files can be uploaded and then remotely accessed. Usually, the bucket is created in private mode, so only the creator can read, write and execute the resources. "However, if one makes the resource public, anyone with the URL can have access to the files uploaded on the bucket," says Prashant Pandey, founder and chief knowledge officer at Kratikal Tech.
Misconfiguration of the bucket could have enabled hackers to access data stored in it, says Dharshan Shanthamurthy, CEO at SISA, a payments security specialist. "I feel the IT person or the team [might] have changed the private setting to make it public for easy sharing purposes internally without realizing the implication of it," he says.
As a result, the apparent data exposure could have resulted from an insider mistake with no malicious intent.
"There is a good possibility that the admin might have granted public access to the resource, but forgot to create an authentication mechanism," Pandey says. "He could also have inadvertently leaked the public URL of the resource, in the process helping hackers to access it."
The apparent incident raises another question: Can startups struggling to balance security and business expansion be trusted with sensitive personal information?
"Security is the least of priorities for most startups," Pandey contends. "There have been many instances with us, where founders and CTOs have dropped the idea of getting their products tested, stating that security is not a priority right now. "Such casual attitude of startups toward security ruins the trust of the general public as well as investors in startups, resulting in a loss for those startups who actually do give a priority to security testing."
Smaller companies with limited budgets often lack experienced security professionals, says Rakesh Goyal, managing director at Sysman Computers. "Also, they are often under pressure to deliver [new products or services] at a specific time and hence [take] short cuts or cut-and-paste to develop applications and store data."
Filling the Gaps
Chandan points out that India's IT Rules, 2011, mandate that companies use reasonable security practices. "As an example they talk about the ISO 27001 standard of auditing," he says. "Technically speaking, there needs to be sophisticated technology in place apart from the usual SSL certificates and authentication." That includes, he says:
- Proper "Know Your Customer" procedures;
- Multiple layers of authentication;
- User notifications about account changes.
"An internal access level policy is a must because it will zone out the possible people who could be the source of a leak", Chandan says. "Even when a company is outsourcing, it must deploy its in-house security consultant to audit the entire data framework from time to time."
Madhav Chablani, consulting CIO and chairman - CSA, NCR chapter, says that the responsibilities of customers of public cloud services need to be better spelled out. "Usually it's mentioned that security responsibility lies with clients. These things need to be openly spelled out to avoid confusion," he says.