Security researchers at Comparitech recently discovered an unsecured database left by Town Sports International, exposing 600,00 user records. Customer data included full names, street addresses, phone number, email addresses, last four digits of credit cards, credit card expiration dates, and billing history.
The database was first seen exposed on November 30, 2019 and was finally secured September 22, 2020, only a day after discovery. Because it was exposed for 11 months, we are unaware of who accessed the data during the 11-month timeframe. With the type of data, this was in the form of office application spreadsheets. The spreadsheets located on the server consisted of customer names, postal addresses, email addresses and phone numbers. Each of these is an item of personally identifiable information, according to Tech Crunch.
The impacted business – Town Sports International – is an established chain of gyms, fitness clubs, and spas, who operate in the northeast of the U.S. The company has recently taken steps to file for bankruptcy.
To gain an insight into the data loss, Digital Journal heard from Anurag Kahol, CTO and co-founder of Bitglass.
According to Kahol: “The Town Sports incident is yet another example where a massive amount of private data has been left exposed without a password. As this database was unsecured for 11 months, the information could potentially have been compromised by malicious actors looking to launch ransom or phishing scams.”
There are lessons to be drawn, according to Kahol: “When creating user accounts, individuals should be able to trust that their data will be protected, which can only be done when businesses take a proactive approach to security.”
As examples, Kahol highlights: “Technologies such as data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and encryption of data at rest are needed for organizations to guarantee that their customer and employee data is truly secure.”