Recently, researchers from the Kromtech Security Center have identified a publically accessible database that contained the private information of NFL players and their agents.
This misconfigured Elasticsearch database was used to collect data from Orchard Audit module that is tracking/analyzing user activity on a number of NFL related domains (mostly, nflpa.com) and sending back to the Elasticsearch for analysis. ORCHARD CMS is a free, open source, community-focused Content Management System.
Elasticsearch nodes and indices were visible on Shodan, a public IoT search engine. Moreover, specific indices content are also viewable via a browser, so anybody with Internet connection could have accessed the data (and, as ‘pleasereadthis’ index says, somebody with malicious intents has already seen it).
The following information has been linked:
· Total log records amount: 573,368
· Records from 2017 - “audit-orchard-prod” total -406,284 : creation date: 2017-02-03
· Emails (agent + player) - 1,262 records
· 75 @nflpa.com emails
· Agents/managers IP addresses
· Players physical address
· Players mobile phone numbers
· Designated Payee number codes
· Advisor fee percentages
· 68 Urls or pages within the domain
· 22,974 Hashes (widely used in computer software for rapid data lookup)
· 26,271 IP Addresses -related to signed-in users and login locations
While there is no way to ensure you are 100% free from hacks, there are steps every company should take to minimize the risk of attack:
1. Cybersecurity training is crucial.
2. Auditing and documentation must be performed regularly to ensure systems are secure.
3. Anomaly detection should be running constantly to detect threats as they emerge.
4. Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
5. Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
6. An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.
If companies – regardless of size, start realizing cybersecurity is a business issue, they will be far more prepared for the inevitability of a breach and be able to respond quickly to minimize damage to the business. The tools above should be used by all companies and an outside firm is 100% necessary to check on any in-house workers to ensure the company’s crucial information is being secured properly.