An unprotected Elasticsearch server was left exposed to the internet and has leaked the personal information of approximately 85% of Panama’s citizens. The Elasticsearch server was connected to the internet, with no password or firewall and was hosted on Amazon AWS.
The server was discovered by Security Discovery researcher Bob Diachenko who immediately notified CERT Panama. The database was secured within 48 hours.
The information stored in the database includes “patients” full names, national ID numbers, dates of birth, addresses of the individual’s medical insurance numbers, phone numbers and email addresses. Diachenko is still checking for duplicates but doesn’t believe there are any. He said:
On May 10th I identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser).
This database contained 3,427,396 records with detailed information on Panamanian citizens (labeled as ‘patients‘), plus 468,086 records with records labeled as ‘test-patient‘ (although, this data also appeared to be valid and not purely test data).
With Panama’s total population number at 4,1M, the exposed number of 3,4-4,8M records would correspond to almost 90% of the country’s citizens.
Despite his thorough investigation, Diachenko hasn’t been able to identify the owner of the server or any hints about who is responsible for the leak. It also isn’t clear how long the data has been sat exposed online ready to be exploited by nefarious individuals.
The information stored in the exposed database would be extremely useful for hackers, scammers, and fraudsters since they could use the information to compromise the individual’s accounts. While personally identifiable data was included in the database, financial information, fortunately, was not.
Security researcher Bob Diachenko has identified other exposed Elasticsearch databases in the past. In November 2018 it was reported that Bob Diachenko found an Elasticsearch server that was left open on the internet without a password, that contained personal information of almost 57 million Americans. The personal information included first names, last names, email addresses, home addresses, state, ZIP codes, phone numbers, and IP addresses.
The danger of having an exposed Elasticsearch or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.