Foreign currency exchange broker FBS leaked 16 billion confidential data records, including personally identifiable information (PII) and government-issued identity proofs, by failing to secure an Internet-facing Elasticsearch database.Â
Belize, C.A.-based foreign currency exchange broker FBS came within an inch of exposing an alarming 20 terabytes of data, or approximately 16 billion confidential data records, including personally identifiable information (PII) of millions of its customers, to anyone with an Internet connection last year. The exposure occurred after the international forex giant failed to secure a massive Elasticsearch server that stored all these data records.
The unsecured and unencrypted Elasticsearch server, which was not protected with a password, was discovered by a team of researchers led by security researcher Ata HakcilOpens a new window at WizCase, an independent cybersecurity review site. WizCase found that the exposed data included PII such as full names, email addresses, phone numbers, billing addresses, country, time zone, IP addresses, coordinates, passport numbers, mobile device models, operating system, email communication to FBS users, GoogleIDs, and FacebookIDs of FBS’ customers.
The exposed data repository also contained scanned copies of government-issued ID proofs belonging to more than 16 million users/traders. These included personal photos, national ID cards, driver’s licenses, birth certificates, bank account statements, utility bills, unredacted credit cards, and other information required for traders to verify themselves on the FBS’ trading platform(s).
Opens a new window
Exposed Passport | Source: WizCase
See Also: Cloud Misconfigurations: A Surging but Overlooked Threat
Additionally, the exposed data also contained user details such as FBS user ID, FBS account creation date, unencrypted passwords encoded in base64, password reset links, login history, and loyalty data (loyalty level, level points, prize points, total money deposited, active days, active clients, points earned and points spent).
Exposed User Details | Source: WizCase
Finally, financial information of users, such as money deposits, currency, payment system, transaction IDs, account IDs, transaction dates, number of times money was deposited, last deposit amount, last deposit date, total deposit, credit, balance, previous month’s balance, interest rate, and taxes were also exposed online due to the misconfiguration.
Exposed Financial Info | Source: WizCase
The alarming exposure of personal and financial data records was discovered by security researchers in October 2020, prompting the latter to alert the forex company immediately. The exposure was closed by October 5, a few days after WizCase reached out to FBS. The exposed data records pertained to data associated with FBS.com and FBS.eu platforms.
It remains unclear how long the Elasticsearch server remained exposed or whether cybercriminals gained access to it before WizCase discovered it. In case hackers accessed this data, it could expose millions of users to a variety of cyber threats. These could include account takeover attacks, identity theft, financial scams, phishing and malware attacks, credit card fraud, extortion & blackmail, business espionage, and more.
FBS, an official trading partner of Spanish football powerhouse FC Barcelona, mints approximately $500 million in profits each year. While it has not announced any compensation for affected customers, the latter can reach out to FBS to see if credit and identity monitoring services are available. Meanwhile, customers should implement the following safeguards to protect their digital identities:
- Change relevant account passwords
- Implement two factor authentication
- Cancel and reapply for exposed credit cards and alert the issuing bank
- Contact credit reporting bureaus and alert for possible fraud
- Set up anti-malware solutions on electronic devices
- Limit sharing confidential information and use VPN
- Wealthy individuals should watch out for physical safety since physical addresses were also exposed
See Also: DivvyCloud Exec on Why Cloud Misconfigurations Are Bigger Security Threats
Security Misconfigurations
Accidental data exposure such as the one committed by FBS due to security misconfigurations is a common phenomenon. Security and cloud misconfigurations resulted in the exposure of 33 billion data records, and cost organizations approximately $5 trillion in 2018 and 2019, according to DivvyCloud.
Moreover, Accurics revealed in its Cloud Cyber Resilience Report that poorly configured policies cause nearly a quarter of cloud security violations. Yet only 67% have implemented appropriate access controls.
Some of the other companies that suffered data leaks due to security misconfigurations in the past couple of years were dating site MeetMindful (2 million users), pharma giant Pfizer (millions of data records exposed), retailer Hobby LobbyOpens a new window , and Capital One bank (100 million customers).
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!