Over a million developers have joined DZone.

The Importance of Securing Your Database (and the Cost of Failure)

It was recently discovered that a database holding personal information of thousands of people was left without a password. See the costs and learn the lessons of not doing due diligence.

· Database Zone

Sign up for the Couchbase Community Newsletter to stay ahead of the curve on the latest NoSQL news, events, and webinars. Brought to you in partnership with Coucbase.

A recent blog post by Chris Vickery, a leading security research member of the MacKeeper security research team, described an incident that exposed the personal information of more than 18,000 members of remote Guatemalan and South African villages. The database was entirely without passwords, providing the public access to over 40 gigabytes worth of customer data.

A database whose security was nonexistent and left open to the public, some think, for months.

Because of this colossal mistake, anyone who wanted it had access to each customer’s full name, address, exact GPS coordinates of their home, occupation, and cell phone number. They also had access to photos of each person’s ID card and documents, which contained their unique state identification number, gender, marital status, nationality, birthplace, and signature or fingerprint (depending on whether the customer is literate). Most also included a picture of the customer’s home.

This lack of database security can have horrific results. Many of these people do not have access to the Internet, which means that they may not even be aware of the giant breach of privacy that they have fallen victim to. Likewise, besides opening the door to identity theft, these regions are especially known to have been plagued by human rights violations by business interests and drug cartels that commit acts like private surveillance or even murder. Therefore, by not heightening their database security, Kingo has endangered their own customers’ lives.

Furthermore, to anyone who knows where to look, a database without structured database security can be found quite easily. Using search engines like Shodan.io, unprotected databases are simply a click away. Search engines like Shodan scour the web in search of unprotected webcams, systems, and databases. Which, unfortunately, allows just about anyone find thousands of innocent people’s personal information.

However, despite the disastrous effects of this mistake on the lives of its customers, Kingo will likely face almost zero legal repercussions in either country that it operates in. This is because neither country has the adequate laws to protect their citizens’ data due to their tumultuous political climates. This leaves companies like Kingo very little motivation to improve database security.

Since Vickery discovered this open database, he has reached out to the company who has since put a password in place. But it is very likely that the damage has already been done.

There is no telling the disastrous effects that can occur due to a lack of database security. People’s identity, money, and even lives are dependent on that personal information remaining private. Businesses must be aware of that and take whatever precautions they can to ensure that their customers' privacy is respected. As can be seen here, not doing so is irresponsible, unprofessional, unethical, and downright dangerous.

The Getting Started with NoSQL Guide will get you hands-on with NoSQL in minutes with no coding needed. Brought to you in partnership with Couchbase.

Topics:
database security ,database ,security

Published at DZone with permission of Yaniv Yehuda, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}