An open and unprotected MongoDB database belonging to children’s story time application, FarFaria, has exposed the personally identifiable information of 2.9 million users. FarFaria is an application for “the perfect story time experience”.
Data breaches continue to rise, both in terms of the number of incidents and the financial value of those incidents. In total, data breach costs for the U.S. have risen from US$3.86 million in 2020 to US$4.24 million this year to date. This presents an approximate 10 percent increase
With the story book incident, the exposed personal data included emails, encrypted passwords, sign-in info, social media tokens and authentication tokens. The database has been secured, however the organization has not provided a comment. In the U.S., personal data is governed by the Privacy Act of 1974 (Pub.L. 93–579, 88 Stat. 1896, enacted 31 December 1974, 5 U.S.C. § 552a), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information.
Assessing the situation for Digital Journal is Anurag Kahol, CTO and co-founder of Bitglass.
Kahol places this breach in context of many others that have occurred, noting: “This is yet another example where a massive amount of personally identifiable information has been left exposed on the web without any authentication controls in place.”
What is also concerning is the demographic involved. Here Kahol comments: “Children are particularly at risk, as their exposed data can be easily stolen by threat actors and leveraged to commit identity theft or conduct highly targeted phishing schemes.”
There are future considerations from this incident. In particular, Kahol recommends: “When creating accounts for their children, parents should be able to trust that their data will be protected, which can only be done when businesses take a proactive approach to security”
In terms of taking robust action by using the best available technology, Kahol advises consideration of platforms like: “Multi-faceted cybersecurity platforms like secure access service edge (SASE) can provide organizations with critical capabilities like data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA) and cloud security and posture management (CSPM).”
Kahol concludes, making the key point: “These security technologies enable full visibility and control across all data centers and prevent exposure of sensitive data”
