A researcher has discovered an unprotected Elasticsearch server belonging to women’s fashion retailer Moda Operandi. The misconfigured database showed customer activity from March-April 2019 and included customer personal data such as shipping and order details, phone numbers and email addresses.
While the exact number of affected customers is unknown, the researcher believes that all U.S. and Canada customers who made a purchase during that timeframe were potentially affected.
Delving into the matter for Digital Journal is Anurag Kahol, CTO and co-founder of Bitglass.
According to Kahol, this type of incident is all too common and when these issues arise there is often a common cause. As he explains: “This incident follows an unfortunate trend of misconfigured databases leading to the exposure of consumers’ personally identifiable information.”
In addition, there are two parties who have responsibility: “Cloud security is a shared liability between the cloud service provider and customer organization, but many enterprises fail to understand their level of responsibility over proprietary data. In fact, 99% of cloud security mishaps will continue to be the result of misconfigurations by the customer through 2025, according to Gartner.”
There are lessons to be drawn Kahol says: “Organizations must realize that misconfigurations can happen far too often, and they are easy to overlook. As such, organizations must seek to obtain full visibility and control over their data to prevent data leakage due to misconfigurations moving forward. This can be executed by employing complex security solutions that not only monitor cloud infrastructure, but also enforce real-time access control, encrypt sensitive data at rest, and manage the sharing of data with external parties.”
