Telemedicine Breach Highlights Database Vulnerabilities
Each day, it seems, brings another major data breach, many involving human errors such as ensuring that security and privacy settings are properly configured before data is exposed to “the wild,” that is, the internet.
The latest in a long line of examples came earlier this month when a MongoDB database was exposed online, reportedly containing the detailed health care information on more than 2.3 million patients in Mexico. The data included full names, gender, data of birth, home address, health insurance policy number and expiration data as well as disability status. The exposed database maintained by a telemedicine vendor also contained personal ID numbers described as unique identity code for both residents and citizens of Mexico.
The website BleepingComputer.com reported this week that a security researcher using a search engine called Shodan discovered the open database. The researcher reported on Aug. 3 that the database was exposed via a “misconfigured MongoDB instance,” leaving the database accessible to anyone without a password.
“Unfortunately sometimes users do not enable the extensive security controls available–particularly with legacy, free versions of MongoDB–which is the case here,” Davi Ottenheimer, MongoDB’s director of product security, noted in a statement.
Security analysts noted that the health care records breach illustrates the risks associated with the ability to upload entire databases to the cloud. “This incident shows how trivial it is for anyone using Shodan or similar search tools to find services exposed publicly,” said Javvad Malik, a security specialist with threat detection vendor AlienVault.
“It is important that companies undertake at least some basic assurance checks to validate that privacy and security settings are configured appropriately,” Malik added. “Monitoring should be put in place to detect any unauthorized access or activity.”
Observers also noted the health care breach was similar to an earlier incident in which data on more than 93 million Mexican voters were exposed via a misconfigured MongoDB server. “The reason this happens is often because someone installs a MongoDB database without configuring it securely, and unfortunately MongoDB had many insecure default settings that are not suitable for a production environment,” said David Johansson, principal consultant at Synopsys.
MongoDB (NASDAQ: MDB) released new security guidelines last fall and has updated its database software with secure default settings via a database service called MongoDB Atlas. The aim is to provide “secure infrastructure by default” as a way to prevent misconfigured instances.
The security features were included in the company’s version 3.6 release last December.
The Mexican data breach underscores how hospitals and telemedicine developers have become prime targets for ransomware attacks focused on large patient databases. In response, database vendors have sought to stem the tide by beefing up default security settings. In the case of MongoDB, “This means all networked connections to the database are denied unless explicitly configured by an administrator,” the company said last fall.
Still, the security researcher who discovered the latest Mexican database breach reported that “unsecured databases are still widely available on the internet.” Shodan, which is designed to search for internet-connected devices as well as web servers, revealed nearly 54,000, the researcher reported.
In its statement, MongoDB added that it “continues to try and reach out to these customers, providing detailed and easy documentation on how and why to use security features in legacy versions, such as online training, security manual and a security best practice checklist.
“We also regularly encourage all users to update to current versions with security improvements such as disabling TLS 1.0, migrating to SHA256, default bind to local host and IP whitelists. We appreciate members of the community such as security researchers in aiding our efforts to identify misconfigurations and widely educate users why and how to follow security practices,” the company added.
-Editor’s note: This story has been updated to include a statement by MongoDB.