Bob Diachenko recently reported on yet another massive data exposure:
On November 12th, when auditing the search results for open/exposed Elasticsearch databases with Binaryedge.ioplatform, we have found what appeared to be a collection of personal records compiled by FIESP, the Federation of Industries of the State of São Paulo. FIESP is the largest class entity in the Brazilian industry. It represents about 130 thousand industries in various sectors, of all sizes and different production chains, distributed in 131 employers’ unions.
Records were stored in Elasticsearch with the total count of 180,104,892.
[…]
The largest collection of data (FIESP collection) had 34,817,273 personal records with exposed info like:
- name
- personal ID number (RG number)
- taxpayer registry identification (CPF)
- sex
- date of birth
- full address
- phone number
Read more on Hackenproof.com. As has happened waaaaay too many times to Bob and others, including yours truly, he had difficulty making notification.
But when notification was finally made after someone on Twitter got thru to FIESP, it was not received as one might hope. Angelica Mari of ZDNet reported today that:
FIESP said it is “investigating the alleged access to its database by a company that claims to work in digital security,” but it has pretty much denied that anything serious has happened at all.
The trade body argued that the databases Hacken Proof is talking about didn’t contain sensitive information or passwords and that “so far, there is no news that any personal information from the database has been exposed.”
“FIESP contacted [Hacken Proof], who said it had not made the data public and subsequently destroyed the information that it claims to have had access to. [Hacken Proof] also stated that its objective was to expose possible vulnerabilities to prevent potential leaks.”