Phil Muncaster reports: A leading European hotel booking platform has leaked over 1TB of data on customers, clients and partners thanks to an unsecured Elasticsearch database, exposing them to account takeover, identity theft and financial fraud. The database reportedly belongs to French B2B hotel booking firm Gekko Group, a subsidiary of Europe’s largest hotel group,…
Category: Exposure
Personal And Social Information Of 1.2 Billion People Discovered In Massive Data Leak, But Who’s Responsible??
Over on DataViper.io, Vinny Troia reports that he and Bob Diachenko found a massive data leak that appears to implicate two data enrichment firms: People Data Labs (PDL), and OxyData.io. But “implicate” is not the same thing as being able to actually attribute ownership of the elasticsearch server that was open at 35.199.58.125, and both…
Veterans Affairs put millions of people at risk of identify theft, audit finds
Eric Yoder reports: The Veterans Affairs Department, while responding to requests for records on veterans’ benefits claims, “put millions of people at risk of identity theft” by not deleting personally identifying information on other people from those records, an audit has found. That information included names and Social Security numbers of people such as other…
WeWork Developers Exposed Contracts and Customer Data on GitHub
Joseph Cox reports: WeWork developers exposed customer contracts, some of which contained bank account details, and the personal and contact information of other potential customers to the open internet. The issue impacts a subset of WeWork customers based in India, China, and Europe. The news comes after WeWork has essentially imploded, with its valuation tumbling and…
Accidental data breach at Las Cruces Public Schools discloses vendor social security numbers
KVIA reports: Las Cruces Public Schools now confirms it accidentally sent out an email back in September containing the social security numbers of vendors the district uses. That email was sent to about 150 district employees, officials said. Vendors were advised to place a fraud alert on their credit files as a precaution. Those vendors…
Indian onlinebloodbank FINALLY secures exposed donors database
It’s been a frustrating matter, but it may finally be resolved, thanks to the individual known as @fs0ciety on Twitter. In May 2019, DataBreaches.net was alerted to an online bloodbank in India that had a misconfigured Amazon s3 bucket. Despite repeated emails by this site and even a phone call from Banbreach infosec in India,…