Your most sensitive data is likely exposed online. These people try to find it
- by 7wData
Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data. It doesn't take him long to find to find a promising lead.
He opens Shodan, a searchable index of cloud servers and other internet-connected devices, on his laptop. Then, he types the keyword "Kibana," which reveals more than 15,000 databases stored online. Paine starts digging through the results, a plate of chicken tenders and fries growing cold next to him.
"This one's from Russia. This one's from China," Paine said. "This one is just wide open."
From there, Paine can sift through each database and check its contents. One database appears to have information about hotel room service. If he keeps looking deeper, he might find credit card or passport numbers. That isn't far fetched. In the past, he's found databases containing patient information from drug addiction treatment centers, as well as library borrowing records and online gambling transactions.
Paine is part of an informal army of web researchers who indulge an obscure passion: scouring the internet for unsecured databases. The databases -- unencrypted and in plain sight -- can contain all sorts of sensitive information, including names, addresses, telephone numbers, bank details, Social Security numbers and diagnoses. In the wrong hands, the data could be exploited for fraud, identity theft or blackmail.
The data-hunting community is both eclectic and global. Some of its members are professional security experts, others are hobbyists. Some are advanced programmers, others can't write a line of code. They're in Ukraine, Israel, Australia, the US and just about any country you name. They share a common purpose: spurring database owners to lock down your info.
The pursuit of unsecured data is a sign of the times. Any organization -- a private company, a nonprofit or a government agency -- can store data on the cloud easily and cheaply. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know they should leave those protections in place. Often, the data just sits there in plain text waiting to be read. That means there will always be something for people like Paine to find. In April, researchers in Israel found demographic details, including addresses, ages and income level, on more than 80 million US households.
No one knows how big the problem is, says Troy Hunt, a cybersecurity expert who has chronicled the issue of exposed databases on his blog. There are far more unsecured databases than those publicized by researchers, he says, but you can only count the ones you can see. What's more, new databases are constantly added to the cloud.
"It's one of those tip-of-the-iceberg situations," Hunt said.
To hunt databases, you have to have a high tolerance for boredom and a higher one for disappointment. Paine said it would take hours to find out whether the hotel room service database was actually a cache of exposed sensitive data. Poring over databases can be mind-numbing and tends to be full of false leads. It isn't like searching for a needle in a haystack; it's like searching fields of haystacks hoping one might contain a needle. What's more, there's no guarantee they'll be able to prompt the owners of an exposed database to fix the problem. Sometimes, the owner will threaten legal action instead.
The payoff, however, can be a thrill. Bob Diachenko, who hunts databases from his office in Ukraine, used to work in public relations for a company called Kromtech, which learned that it had a data breach from a security researcher. The experience intrigued him, and he dove into hunting databases with no experience.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
Shift Difficult Problems Left with Graph Analysis on Streaming Data
29 April 2024
12 PM ET – 1 PM ET
Read MoreYou Might Be Interested In
AI and utilities: Europe’s defining role
10 Feb, 2018Artificial intelligence is changing the world but is it for the better? Tamara McCleary, CEO atThulium, argues that Europe’s power …
5 characteristics of AI technologies worth investing in
5 Nov, 2017Machine learning and artificial intelligence are timely subjects that spark the public imagination. In 2016, between $26 billion and $39 …
No artificial intelligence without data architecture
29 Dec, 2019In the last few years, the world of informatics has been focusing on a specific concept: the importance of data. …
Recent Jobs
Do You Want to Share Your Story?
Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.